Skip to main content

Prowler Cloud

Step 1: Access Prowler Cloud/App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Providers” Providers Page
  3. Click “Add Provider” Add a Provider
  4. Select “Kubernetes”
  5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias

Step 2: Configure Kubernetes Authentication

For Kubernetes, Prowler App uses a kubeconfig file to authenticate. Paste the contents of your kubeconfig file into the Kubeconfig content field.
Kubeconfigs that use users[].user.exec authentication are not supported in Prowler Cloud/App. For security reasons, Prowler Cloud does not run commands declared by uploaded kubeconfigs. Use kubeconfig credentials that do not rely on exec authentication, such as the ServiceAccount token flow documented below.
By default, the kubeconfig file is located at ~/.kube/config. Kubernetes Credentials

Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters

If you are adding an EKS, GKE, AKS or external cluster, follow these additional steps to ensure proper authentication: Make sure your cluster allows traffic from the Prowler Cloud IP address 52.48.254.174/32
  1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the kubernetes directory of the Prowler repository):
    kubectl apply -f kubernetes/prowler-sa.yaml
    kubectl apply -f kubernetes/prowler-role.yaml
    kubectl apply -f kubernetes/prowler-rolebinding.yaml
    
  2. Generate a long-lived token for authentication:
    kubectl create token prowler-sa -n prowler-ns --duration=0
    
    • Security Note: The --duration=0 option generates a non-expiring token, which may pose a security risk if not managed properly. Choose an appropriate expiration time based on security policies. For a limited-time token, set --duration=<TIME> (e.g., --duration=24h).
    Important: If the token expires, Prowler Cloud can no longer authenticate with the cluster. Generate a new token and remove and re-add the provider in Prowler Cloud with the updated kubeconfig.
    Token Expiration LimitsWhen the Kubernetes cluster has --service-account-max-token-expiration configured, any token requested with a duration exceeding the maximum allowed value (including --duration=0) is automatically reduced to the cluster’s maximum token expiration time. As an alternative solution, create a legacy Secret manually. Although Kubernetes no longer creates these secrets automatically, manual creation and linking to a ServiceAccount is still supported. These tokens do not expire until the secret or ServiceAccount is deleted.Steps:
    1. Create a secret-sa.yaml file (or any preferred name) with the following content:
      apiVersion: v1
      kind: Secret
      metadata:
        name: prowler-token-long-lived
        namespace: prowler-ns
        annotations:
          kubernetes.io/service-account.name: "prowler-sa"
      type: kubernetes.io/service-account-token
      
    2. Apply the secret:
      kubectl apply -f secret-sa.yaml
      
    3. Retrieve the token (which will be permanent):
      kubectl get secret prowler-token-long-lived -n prowler-ns -o jsonpath='{.data.token}' | base64 --decode
      
  3. Update your kubeconfig to use the ServiceAccount token:
    kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
    kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
    
    Replace <SA_TOKEN> with the generated token and <CONTEXT_NAME> with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
  4. Add the modified kubeconfig in Prowler Cloud and test the connection.

Prowler CLI

Non In-Cluster Execution

For execution outside the cluster environment, specify the location of the kubeconfig file using the following argument:
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
If no --kubeconfig-file is provided, Prowler will use the default KubeConfig file location (~/.kube/config).
prowler will scan the active Kubernetes context by default. Use the --context flag to specify the context to be scanned.
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.

In-Cluster Execution

For in-cluster execution, use the supplied yaml files inside /kubernetes: They can be used to run Prowler as a job within a new Prowler namespace:
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
By default, prowler will scan all namespaces in your active Kubernetes context. Use the --namespace flag to specify the namespace(s) to be scanned.
Identifying the cluster in reportsWhen running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.To uniquely identify the cluster in logs and reports:
  • Use the --cluster-name flag to manually set the cluster name:
prowler -p kubernetes --cluster-name production-cluster
  • Or set the CLUSTER_NAME environment variable:
env:
    - name: CLUSTER_NAME
      value: production-cluster
To set up a production-ready CronJob that runs Prowler on a schedule and sends findings to Prowler Cloud, see the Run Kubernetes In-Cluster and Send Findings to Prowler Cloud cookbook.