Bjørn2Scan helps track the vulnerabilities in your Kubernetes cluster and help you track it direct in Prometheus/Grafana or wherever you want using OpenTelemetry. Underneath the hood it connects to your container manager (Docker or ContainerD) and scans whatever is running using Syft and Grype, which also means it does not need access to your container registry.
Spin up or connect to your favorite Kubernetes cluster. In this case, https://minikube.sigs.k8s.io/.
minikube start
Deploy the scanner
helm upgrade --install bjorn2scan oci://harbor.cloudnative.biz/k8s-scanner/bjorn2scan --set clusterName="Minikube Cluster" --wait
See https://github.com/bvboe/bjorn2scan/blob/main/bjorn2scan/values.yaml for more configuration options.
Once it's running open up a connection to the web frontend
kubectl port-forward service/web-frontend 8080:80
Open up your browser at http://localhost:8080 and you're up and running.
This adds Prometheus and Grafana to analyze the data for this Minikube cluster. This deployment approach can modified to monitor multiple Kubernetes clusters.
Install Prometheus and Grafana, configured to retrieve data from the Kubernetes scanner:
helm upgrade --install k8s-monitoring prometheus-community/kube-prometheus-stack \
--set "prometheus.prometheusSpec.maximumStartupDurationSeconds=900" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].job_name=Kubernetes-Vulnerability-Scanner" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].metrics_path=/metrics" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].static_configs[0].targets[0]=vulnerability-coordinator:80" \
--wait
Get access to the Prometheus by running the following command:
kubectl port-forward svc/k8s-monitoring-kube-promet-prometheus 9090
Open http://localhost:9090 and validate that Prometheus is reading data.
Prometheus is importing the following metrics from the Kubernetes scanner:
- kubernetes_vulnerability_results
- kubernetes_vulnerability_sbom
- kubernetes_vulnerability_scanned_containers
This gives information about vulnerabilities found, the software bill of materials for these workloads and an indicator of how many workloads have been scanned.
Also feel free to explore some of the data within Prometheus:
Get access to the Grafana by running the following command:
kubectl port-forward service/k8s-monitoring-grafana 3000:80
Open http://localhost:3000 and log in using default username/password admin/prom-operator:
Open Dashboard page and click New -> Import to import a pre-built Kubernetes vulnerability dashboard:
Open the following link in a separate window, copy into the JSON model window and click Load:
https://raw.githubusercontent.com/bvboe/bjorn2scan/refs/heads/main/grafana-dashboard/container-vulnerability-dashboard.json
Select the defautl Prometheus datasource for the dashboard and click Import:
Start exploring the vulnerability dashboard that was just imported:
It's important that each cluster is given a unique name, which is given when installing the Kubernetes Vulnerability Scanner, as shown below:
helm upgrade --install bjorn2scan bjorn2scan --set clusterName="SET NAME OF CLUSTER HERE" --wait
Additional clusters can be added to the Prometheus configuration by modifying the helm installation as follows:
helm upgrade --install k8s-monitoring prometheus-community/kube-prometheus-stack \
--set "prometheus.prometheusSpec.maximumStartupDurationSeconds=900" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].job_name=Kubernetes-Vulnerability-Scanner" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].metrics_path=/metrics" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].static_configs[0].targets[0]=vulnerability-coordinator:80" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].static_configs[0].targets[1]=cluster-number-two:80" \
--set "prometheus.prometheusSpec.additionalScrapeConfigs[0].static_configs[0].targets[2]=cluster-number-three:80" \
--wait
Use Helm to see what's installed
helm list
Ask Helm to delete the monitoring and scanning components:
helm delete k8s-monitoring bjorn2scan
The scanner is designed to work with Kubernetes running on Docker and ContainerD, and has been tested on the following Kubernetes distributions:
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- K3s
- MicroK8s
- Kubeadm on ContainerD
- Minikube
- Kind
The scanner is currently not integrated with CRI-O.
The scanner will also require read-only access to the host operating system and leverages a Persistent Volume Claim for caching scan results. The use of a Persistent Volume Claim can be disabled by adding --set vulnerabilityCoordinator.externalStorage=false to the helm installation command.