Query Kubernetes Clusters
Once you've ensured that cnquery can access your Kubernetes environment, you can begin exploring and analyzing your infrastructure. The method you choose depends on your goals:
- To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.
- For widescale analysis of your Kubernetes infrastructure, scan using query packs. These collections of queries work together to present a whole picture.
Explore with the cnquery shell
To launch a shell into your Kubernetes environment, enter:
cnquery shell k8s
cnquery automatically discovers all the Kubernetes assets available to query:
→ resolved assets resolved-assets=20
Available assets
8. luna/luna-frontend-7fb96c846b-2k5j7 (k8s-pod)
> 9. luna/luna-frontend-7fb96c846b-8b94j (k8s-pod)
10. luna/luna-frontend-7fb96c846b-jglt9 (k8s-pod)
11. kube-system/kube-controller-manager-minikube (k8s-pod)
12. kube-system/kube-proxy-cdzrr (k8s-pod)
13. kube-system/kube-scheduler-minikube (k8s-pod)
14. kube-system/storage-provisioner (k8s-pod)
•••
Arrow through the list and select Enter to choose the asset you want to explore.
Discover capabilities with the help command
Once inside the shell, use the help command to learn what Kubernetes resources you can query. This command lists all the Kubernetes resources:
help k8s
From the resulting list, you can drill down further. For example, enter this command to list all the Kubernetes IAM resources you can query:
help k8s.pod
From the resulting list, you can drill down even further. You can also learn about available Kubernetes resources in the Mondoo Kubernetes Resource Pack Reference.
Answer questions in the cnquery shell
Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.
Query namespaces
This query asks for a list of namespaces in the cluster:
k8s.namespaces
cnquery returns a list of all the namespaces in the cluster and their creation dates.
k8s.namespaces: [
0: k8s.namespace name="default" created=2022-12-14 15:17:35 -0800 PST
1: k8s.namespace name="kube-node-lease" created=2022-12-14 15:17:34 -0800 PST
2: k8s.namespace name="kube-public" created=2022-12-14 15:17:34 -0800 PST
3: k8s.namespace name="kube-system" created=2022-12-14 15:17:34 -0800 PST
4: k8s.namespace name="luna" created=2022-12-14 15:26:38 -0800 PST
]
Add { * } to request a full report that includes all the data available for each namespace:
k8s.namespaces { * }
cnquery groups the information by namespace:
k8s.namespaces: [
0: {
uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
id: "namespace:default"
created: 2022-12-14 15:17:35 -0800 PST
manifest: {
apiVersion: "v1"
kind: "Namespace"
metadata: {
creationTimestamp: "2022-12-14T23:17:35Z"
labels: {
kubernetes.io/metadata.name: "default"
}
managedFields: [
0: {
apiVersion: "v1"
fieldsType: "FieldsV1"
fieldsV1: {
f:metadata: {
f:labels: {
.: {}
f:kubernetes.io/metadata.name: {}
}
}
}
manager: "kube-apiserver"
operation: "Update"
time: "2022-12-14T23:17:35Z"
}
]
name: "default"
resourceVersion: "192"
uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
}
spec: {
finalizers: [
0: "kubernetes"
]
}
status: {
phase: "Active"
}
}
name: "default"
}
1: {
uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
id: "namespace:kube-node-lease"
created: 2022-12-14 15:17:34 -0800 PST
manifest: {
apiVersion: "v1"
kind: "Namespace"
metadata: {
creationTimestamp: "2022-12-14T23:17:34Z"
labels: {
kubernetes.io/metadata.name: "kube-node-lease"
}
managedFields: [
0: {
apiVersion: "v1"
fieldsType: "FieldsV1"
fieldsV1: {
f:metadata: {
f:labels: {
.: {}
f:kubernetes.io/metadata.name: {}
}
}
}
manager: "kube-apiserver"
operation: "Update"
time: "2022-12-14T23:17:34Z"
}
]
name: "kube-node-lease"
resourceVersion: "53"
uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
}
spec: {
finalizers: [
0: "kubernetes"
]
}
status: {
phase: "Active"
}
}
name: "kube-node-lease"
}
...
You can also request specific data for each namespace:
k8s.namespaces { uid name }
cnquery returns only the information you requested:
k8s.namespaces: [
0: {
uid: "2cf29aad-c9cd-47fc-98fa-1fbc80b64ccb"
name: "default"
}
1: {
uid: "d0b8a89f-42c1-43d1-88e5-976231c85e43"
name: "kube-node-lease"
}
2: {
uid: "fec9c3f7-a49b-4dbd-b17d-98dd3dd4d344"
name: "kube-public"
}
3: {
uid: "f249e61c-7a6c-4ea6-a4e0-b903ed469664"
name: "kube-system"
}
4: {
uid: "e00334c6-7ce4-4a32-b4a7-1e64e30b70c4"
name: "luna"
}
]
Filter results
You can filter results based on any fields. Specify the criteria using the where function and standard boolean operators.
For example, this filters results based on namespace:
k8s.services.where(namespace == "luna"){
name
spec['type']
spec['clusterIP']
spec['ports']{
_['port']
}
}
cnquery returns the requested details for each service in the luna namespace:
k8s.services.where: [
0: {
spec[ports]: [
0: {
[port]: 443.000000
}
]
spec[clusterIP]: "10.43.0.1"
spec[type]: "ClusterIP"
name: "kubernetes"
}
1: {
spec[ports]: [
0: {
[port]: 80.000000
}
]
spec[clusterIP]: "10.43.211.176"
spec[type]: "ClusterIP"
name: "wiki"
}
2: {
spec[ports]: [
0: {
[port]: 80.000000
}
]
spec[clusterIP]: "10.43.196.249"
spec[type]: "ClusterIP"
name: "wordpress"
}
3: {
spec[ports]: [
0: {
[port]: 3306.000000
}
]
spec[clusterIP]: "10.43.111.72"
spec[type]: "ClusterIP"
name: "mysql"
}
4: {
spec[ports]: [
0: {
[port]: 80.000000
}
]
spec[clusterIP]: "10.43.242.48"
spec[type]: "ClusterIP"
name: "webserver"
}
5: {
spec[ports]: [
0: {
[port]: 10250.000000
}
1: {
[port]: 10255.000000
}
2: {
[port]: 4194.000000
}
]
spec[clusterIP]: "None"
spec[type]: "ClusterIP"
name: "kubelet"
}
]
Learn more about querying Kubernetes
- To learn more about how the MQL query language works, read Write Effective MQL.
- For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.
Exit the cnquery shell
To exit the cnquery shell, either press Ctrl + D or type exit.
Analyze your environment with Kubernetes query packs
Mondoo makes these core Kubernetes query packs available in GitHub:
- Mondoo Kubernetes Cluster Inventory provides information about all your Kubernetes assets and their configuration.
- Mondoo Kubernetes Cluster Incident Response helps you investigate and minimize damage when a security incident occurs.
To run one of these purpose-built collections of Kubernetes-specific queries:
-
In Mondoo's cnquery-packs GitHub repo, go to the
coredirectory and find the Kubernetes query pack you want to run. -
Download the YAML file to a local directory and, in your terminal, move to that directory.
-
Use the
cnquery scancommand, specifying the file and the query pack:
cnquery scan k8s -f mondoo-kubernetes-incident-response.mql.yaml --querypack mondoo-incident-response-kubernetes
You can also create your own query packs to meet your specific needs. To learn more about query packs, read Run a Query Pack.