The Klustair client searches your Kubernetes namespaces for the used images and scans them with Trivy.
- Klustair Frontend to view the scanner results
- Klustair Helm charts to run Klustair Cronjob, API and Frontend
- trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts
- kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls
Download the binaries from the releases page.
Unpack the archive and move the klustair-cli
binary to your bin $PATH
(on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
brew tap klustair/klustair-cli
brew install klustair-cli
klustair-cli [global options]
optional arguments:
--verbose, -V increase output verbosity (default: false) [$KLUSTAIR_VERBOSE]
--debug, -d debug mode (default: false) [$KLUSTAIR_DEBUG]
--namespaces value, -n value Coma separated whitelist of Namespaces to check [$KLUSTAIR_NAMESPACES]
--namespacesblacklist value, -N value Coma separated whitelist of Namespaces to check [$KLUSTAIR_NAMESPACESBLACKLIST]
--kubeaudit value, -k value Coma separated list of audits to run. [$KLUSTAIR_KUBEAUDIT]
--trivy, -t Run Trivy vulnerability checks (default: false) [$KLUSTAIR_TRIVY]
--label value, -l value A optional title for your run [$KLUSTAIR_LABEL]
--repocredentialspath value, -c value Path to repo credentials for trivy [$KLUSTAIR_REPOCREDENTIALSPATH]
--limitdate value, --ld value Remove reports older than X days (default: 0) [$KLUSTAIR_LIMITDATE]
--limitnr value, --ln value Keep only X reports (default: 0) [$KLUSTAIR_LIMITNR]
--configkey value, -C value Load remote configuration from frontend [$KLUSTAIR_CONFIGKEY]
--apihost value, -H value Remote API-host address (example: https://localhost:8443) [$KLUSTAIR_APIHOST]
--apitoken value, -T value API Access Token from Klustair Frontend [$KLUSTAIR_APITOKEN]
--help, -h show help (default: false)
--version, -v print the version (default: false)
export TRIVY_USERNAME=....
export TRIVY_PASSWORD=....
export TRIVY_REGISTRY_TOKEN=....
export TRIVY_INSECURE=false
export TRIVY_NON_SSL=false
export TRIVY_DEBUG=false
export TRIVY_QUIET=true
go get -v github.com/klustair/klustair-cli
git clone [email protected]:klustair/klustair-cli.git
cd klustair-cli
go run cmd/klustair/main.go
go build -o bin/klustair-cli cmd/klustair/main.go
Why is the klustair client so big (~80MB)?
- it contains the trivy binary(~32MB) and the kubeaudit binary (~30MB).