Skip to main content

Prowler App

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Kubernetes”
  5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias

Step 2: Configure Kubernetes Authentication

For Kubernetes, Prowler App uses a kubeconfig file to authenticate. Paste the contents of your kubeconfig file into the Kubeconfig content field. By default, the kubeconfig file is located at ~/.kube/config. Kubernetes Credentials

Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters

If you are adding an EKS, GKE, AKS or external cluster, follow these additional steps to ensure proper authentication: Make sure your cluster allows traffic from the Prowler Cloud IP address 52.48.254.174/32
  1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the kubernetes directory of the Prowler repository): 
    kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
  2. Generate a long-lived token for authentication: 
    kubectl create token prowler-sa -n prowler-ns --duration=0
    • Security Note: The --duration=0 option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set --duration=<TIME> (e.g., --duration=24h).
    • Important: If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and remove and re-add the provider in Prowler Cloud with the updated kubeconfig.
  3. Update your kubeconfig to use the ServiceAccount token: 
    kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
    Replace <SA_TOKEN> with the generated token and <CONTEXT_NAME> with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
  4. Add the modified kubeconfig in Prowler Cloud and test the connection.

Prowler CLI

Non In-Cluster Execution

For execution outside the cluster environment, specify the location of the kubeconfig file using the following argument: 
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
If no --kubeconfig-file is provided, Prowler will use the default KubeConfig file location (~/.kube/config).
prowler will scan the active Kubernetes context by default. Use the --context flag to specify the context to be scanned.
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.

In-Cluster Execution

For in-cluster execution, use the supplied yaml files inside /kubernetes: They can be used to run Prowler as a job within a new Prowler namespace: 
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.
Identifying the cluster in reportsWhen running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.To uniquely identify the cluster in logs and reports:
  • Use the --cluster-name flag to manually set the cluster name:
prowler -p kubernetes --cluster-name production-cluster
  • Or set the CLUSTER_NAME environment variable:
env:
    - name: CLUSTER_NAME
      value: production-cluster