Installing Snyk Controller into a k3d kubernetes cluster to enable runtime container scanning with the Snyk Platform

Snyk integrates with Kubernetes, enabling you to import and test your running workloads and identify vulnerabilities in their associated images and configurations that might make those workloads less secure. Once imported, Snyk continues to monitor those workloads, identifying additional security issues as new images are deployed and the workload configuration changes

In the example below we show you how easy it is to integrate the Snyk Platform with any K8s distribution in this case k3d running on my laptop.

Steps 

1. Install k3d using the instructions from the link below.

https://k3d.io/

2. Create a cluster as shown below.

pasapicella@192-168-1-113:~/snyk/demos/kubernetes/k3d$ k3d cluster create snyk-k3d --servers 1 --agents 2

INFO[0000] Prep: Network

INFO[0003] Created network 'k3d-snyk-k3d'

INFO[0003] Created volume 'k3d-snyk-k3d-images'

INFO[0004] Creating node 'k3d-snyk-k3d-server-0'

INFO[0005] Creating node 'k3d-snyk-k3d-agent-0'

INFO[0005] Creating node 'k3d-snyk-k3d-agent-1'

INFO[0005] Creating LoadBalancer 'k3d-snyk-k3d-serverlb'

INFO[0005] Starting cluster 'snyk-k3d'

INFO[0005] Starting servers...

INFO[0005] Starting Node 'k3d-snyk-k3d-server-0'

INFO[0012] Starting agents...

INFO[0012] Starting Node 'k3d-snyk-k3d-agent-0'

INFO[0023] Starting Node 'k3d-snyk-k3d-agent-1'

INFO[0031] Starting helpers...

INFO[0031] Starting Node 'k3d-snyk-k3d-serverlb'

INFO[0033] (Optional) Trying to get IP of the docker host and inject it into the cluster as 'host.k3d.internal' for easy access

INFO[0036] Successfully added host record to /etc/hosts in 4/4 nodes and to the CoreDNS ConfigMap

INFO[0036] Cluster 'snyk-k3d' created successfully!

INFO[0036] --kubeconfig-update-default=false --> sets --kubeconfig-switch-context=false

INFO[0036] You can now use it like this:

kubectl config use-context k3d-snyk-k3d

kubectl cluster-info

3. View the Kubernetes nodes.

$ kubectl get nodes

NAME                    STATUS   ROLES                  AGE   VERSION

k3d-snyk-k3d-server-0   Ready    control-plane,master   21h   v1.20.5+k3s1

k3d-snyk-k3d-agent-0    Ready    <none>                 21h   v1.20.5+k3s1

k3d-snyk-k3d-agent-1    Ready    <none>                 21h   v1.20.5+k3s1

4.  Run the following command in order to add the Snyk Charts repository to Helm.

$ helm repo add snyk-charts https://snyk.github.io/kubernetes-monitor/
"snyk-charts" already exists with the same configuration, skipping

5. Once the repository is added, create a unique namespace for the Snyk controller:

$ kubectl create namespace snyk-monitor

6. Now, log in to your Snyk account and navigate to Integrations. Search for and click Kubernetes. Click Connect from the page that loads, copy the Integration ID. The Snyk Integration ID is a UUID, similar to this format: abcd1234-abcd-1234-abcd-1234abcd1234. Save it for use from your Kubernetes environment in the next step

Instructions link : https://support.snyk.io/hc/en-us/articles/360006368657-Viewing-your-Kubernetes-integration-settings

7. Snyk monitor runs by using your Snyk Integration ID, and using a dockercfg file. If you are not using any private registries which we are not in this demo, create a Kubernetes secret called snyk-monitor containing the Snyk Integration ID from the previous step and run the following command:

$ kubectl create secret generic snyk-monitor -n snyk-monitor \
         --from-literal=dockercfg.json={} \
         --from-literal=integrationId=INTEGRATION_TOKEN_FROM_STEP_6

secret/snyk-monitor created

8. Install the Snyk Helm chart as follows:

$ helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
                          --namespace snyk-monitor \
                          --set clusterName="k3d Dev cluster"
Release "snyk-monitor" does not exist. Installing it now.
NAME: snyk-monitor
LAST DEPLOYED: Wed Jun  2 17:47:13 2021
NAMESPACE: snyk-monitor
STATUS: deployed
REVISION: 1
TEST SUITE: None

9. Verify the Snyk Controller is running using either 

$ kubectl get pods -n snyk-monitor
NAME                           READY   STATUS    RESTARTS   AGE
snyk-monitor-64c94685b-fwpvx   1/1     Running   3          21h

10. At this point we can create some workloads as follows let's just add a single POD to the cluster for a basic Spring Boot application.

$ kubectl run springboot-app --image=pasapples/spring-boot-jib --port=8080
pod/springboot-app created

11. Head back to the Snyk Dashboard and click on your Kubernetes Integration Tile and you should see a list of applicable workloads to monitor in our case  we just have the single app called "springboot-app".

12. Add the selected workload and your done!!!

More Information

Kubernetes integration overview
https://support.snyk.io/hc/en-us/articles/360003916138-Kubernetes-integration-overview

Install the Snyk controller with Helm

https://support.snyk.io/hc/en-us/articles/360003916158#UUID-753328ea-3d73-0eeb-4301-c22522273797