Note: KubeXray is no longer maintained or supported by JFrog. Feel free to review this code for your own POC concepts, but we are not continuing to update it or add features. For people looking for great tools to help for enforcement in Kubernetes, we do continue to have KubeNab which allows enforcement of what repositories a kubernetes cluster pulls from (which then can leverage enforcement of Xray policies in Artifactory).*
An open source software project that monitors pods in a Kubernetes cluster to help you detect security & license violations in containers running inside the pod.
KubeXray listens to events from Kubernetes API server, and leverages the metadata from JFrog Xray (commercial product) to ensure that only the pods that comply with your current policy can run on Kubernetes. As an example, KubeXray listens to these event streams:
And when an issue is detected, KubeXray responds according to the current policy that you have set.
You can select one of the following possible actions:
KubeXray also allows you to enforce policy for running applications that have not been scanned by JFrog Xray and whose risks are unknown.
The easiest way to install KubeXray is using the Helm chart
Please follow install instruction from chart's readme
To build kubexray
locally
make build
To build kubexray
docker image locally (testing docker image build)
make image
We welcome community contribution through pull requests.
This tool is available under the Apache License, Version 2.0.
(c) All rights reserved JFrog