Hands-on with Runecast Analyzer 4.5 and Kubernetes Best Practices & Security Checks

Setting up vSphere 7 with Kubernetes
I recently upgraded my VMware homelab to vSphere 7 Update 1. One of the major new features of vSphere 7 Update 1 is the introduction of vSphere 7 with Kubernetes without requiring a full VMware Cloud Foundation deployment. vSphere 7 with Kubernetes now supports a bring your own network, storage and load balancer deployment option. I am running vSphere 7 with Kubernetes and I deployed a Tanzu Kubernetes Grid guest cluster called “jeffrey-tkc-01”:

My TKG Guest Cluster is using an HAproxy appliance for loadbalancing and Antrea for Kubernetes networking:

If you want to deploy vSphere 7 with Kubernetes yourself, I highly recommend taking a look at William Lam’s excellent Automated vSphere with Tanzu Basic Lab Deployment script on GitHub. Great work William!
Using the Kubernetes CLI Plugin for vSphere, I can now connect and login to my guest cluster and switch to the correct Kubernetes context to deploy my first app:

The Demo Appliance Tanzu Kubernetes Grid fling contains a number of demo deployments, including a demo app called Yelb. You can find more details here: https://vmc.techzone.vmware.com/resource/demo-appliance-tanzu-kubernetes-grid-workshop-guide
Before deploying the Yelb demo app, I needed to set the correct RBAC permissions by applying the provided allow-nonroot-clusterrole.yaml file:
kubectl apply -f allow-nonroot-clusterrole.yaml
I then deployed the Yelb demo app by applyih yelb-lb.yaml:
kubectl apply -f yelb-lb.yaml

The external IP 10.0.20.4 is being loadbalanced by HAproxy and I can open the Yelb demo app website:

Connecting Runecast Analyzer 4.5 to my Kubernetes cluster
Connection Settings
Runecast Analyzer 4.5 introduced “support for automated Kubernetes configuration analysis at the node-level, cluster-level, and workload level by covering common cluster operational and security best practices for Kubernetes, as well as the CIS benchmark for Kubernetes (security standard)”.
To connect Runecast Analyzer to my Kubernetes cluster, I first need to find the IP address of the Kubernetes API Server for my cluster by checking the output of :
kubectl config view

I also need a service account token. Since this is just a demo environment, I’m not using a proper service account but I’m just going to use a previously created account with edit permissions on my cluster:

With this information I can now configure the connection settings in Runecast Analyer on the Settings page:

Kubernetes Inventory View
The Inventory View allows you to drill down into your clusters and namespaces and provides Best Practices and CIS security recommendations on every object:

Runecast Analyzer provides clear and concise details on findings and provides useful links for additional information.
Best Practices
The Best Practices dashboard nicely consolidates all the recommendations in one place. You can filter on the Product Kubernetes to get all the Kubernetes findings along with their severities:

Conclusion
Kubernetes support is a really great addition to Runecast Analyzer. Many companies are adopting Kubernetes and the recommendations from Runecast Analyzer allow them to better implement and harden their Kubernetes deployments. I’m going to play around a bit more with it and will add some additional blogposts in the near future. If you want to try Runecast Analyzer for yourself, there is a free trial available on their website!