> ## Documentation Index > Fetch the complete documentation index at: https://docs.prowler.com/llms.txt > Use this file to discover all available pages before exploring further. ## Submitting Feedback If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback: POST https://docs.prowler.com/feedback ```json { "path": "/user-guide/providers/kubernetes/getting-started-k8s", "feedback": "Description of the issue" } ``` Only submit feedback when you have something specific and actionable to report. # Getting Started with Kubernetes ## Prowler Cloud ### Step 1: Access Prowler Cloud/App 1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app) 2. Go to "Configuration" > "Providers" Providers Page

3. Click "Add Provider" Add a Provider

4. Select "Kubernetes" 5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias ### Step 2: Configure Kubernetes Authentication For Kubernetes, Prowler App uses a `kubeconfig` file to authenticate. Paste the contents of your `kubeconfig` file into the `Kubeconfig content` field. By default, the `kubeconfig` file is located at `~/.kube/config`. Kubernetes Credentials

### Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these additional steps to ensure proper authentication: **Make sure your cluster allows traffic from the Prowler Cloud IP address `52.48.254.174/32`** 1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)): ```console theme={null} kubectl apply -f kubernetes/prowler-sa.yaml kubectl apply -f kubernetes/prowler-role.yaml kubectl apply -f kubernetes/prowler-rolebinding.yaml ``` 2. Generate a long-lived token for authentication: ```console theme={null} kubectl create token prowler-sa -n prowler-ns --duration=0 ``` * **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Choose an appropriate expiration time based on security policies. For a limited-time token, set `--duration=` (e.g., `--duration=24h`). **Important:** If the token expires, Prowler Cloud can no longer authenticate with the cluster. Generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`. **Token Expiration Limits** When the Kubernetes cluster has `--service-account-max-token-expiration` configured, any token requested with a duration exceeding the maximum allowed value (including `--duration=0`) is automatically reduced to the cluster's maximum token expiration time. As an alternative solution, create a legacy Secret manually. Although Kubernetes no longer creates these secrets automatically, manual creation and linking to a ServiceAccount is still supported. These tokens do not expire until the secret or ServiceAccount is deleted. **Steps:** 1. Create a `secret-sa.yaml` file (or any preferred name) with the following content: ```yaml theme={null} apiVersion: v1 kind: Secret metadata: name: prowler-token-long-lived namespace: prowler-ns annotations: kubernetes.io/service-account.name: "prowler-sa" type: kubernetes.io/service-account-token ``` 2. Apply the secret: ```console theme={null} kubectl apply -f secret-sa.yaml ``` 3. Retrieve the token (which will be permanent): ```console theme={null} kubectl get secret prowler-token-long-lived -n prowler-ns -o jsonpath='{.data.token}' | base64 --decode ``` 3. Update your `kubeconfig` to use the ServiceAccount token: ```console theme={null} kubectl config set-credentials prowler-sa --token= kubectl config set-context --user=prowler-sa ``` Replace `` with the generated token and `` with your KubeConfig Context Name of your EKS, GKE or AKS cluster. 4. Add the modified `kubeconfig` in Prowler Cloud and test the connection. ## Prowler CLI ### Non In-Cluster Execution For execution outside the cluster environment, specify the location of the [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file using the following argument: ```console theme={null} prowler kubernetes --kubeconfig-file /path/to/kubeconfig ``` If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`). `prowler` will scan the active Kubernetes context by default. Use the [`--context`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/context/) flag to specify the context to be scanned. By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned. ### In-Cluster Execution For in-cluster execution, use the supplied yaml files inside `/kubernetes`: * [prowler-sa.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-sa.yaml) * [job.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/job.yaml) * [prowler-role.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-role.yaml) * [prowler-rolebinding.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-rolebinding.yaml) They can be used to run Prowler as a job within a new Prowler namespace: ```console theme={null} kubectl apply -f kubernetes/prowler-sa.yaml kubectl apply -f kubernetes/job.yaml kubectl apply -f kubernetes/prowler-role.yaml kubectl apply -f kubernetes/prowler-rolebinding.yaml kubectl get pods --namespace prowler-ns --> prowler-XXXXX kubectl logs prowler-XXXXX --namespace prowler-ns ``` By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned. **Identifying the cluster in reports** When running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default. To uniquely identify the cluster in logs and reports: * Use the `--cluster-name` flag to manually set the cluster name: ```bash theme={null} prowler -p kubernetes --cluster-name production-cluster ``` * Or set the `CLUSTER_NAME` environment variable: ```yaml theme={null} env: - name: CLUSTER_NAME value: production-cluster ``` To set up a production-ready CronJob that runs Prowler on a schedule and sends findings to Prowler Cloud, see the [Run Kubernetes In-Cluster and Send Findings to Prowler Cloud](/user-guide/cookbooks/kubernetes-in-cluster) cookbook.