This guide will show you how to install InSpec on your Cloud Shell instance and how to use InSpec to check your Google Kubernetes Engine deployments against the CIS Benchmark.
Time to complete: About 5 minutes
Click the Start button to move to the next step.
Before we jump in, let's briefly go over what InSpec can do.
InSpec, a popular framework in the DevSecOps community, checks the configuration state of resources within virtual machines, containers, and cloud providers such as GCP, AWS, and Azure. InSpec's lightweight nature, approachable domain specific Language (DSL) and extensibility, make it a valuable tool for:
- Expressing compliance policies as code
- Enabling development teams to add application-specific tests and assess the compliance of their applications to security policies before pushing changes to the production environment.
- Automating compliance verification in CI/CD pipelines and as part of the release process
- Unifying compliance assessments across multiple cloud providers and on premises environments
Continue on to the next step to start setting up your tutorial.
InSpec is distributed as a Ruby gem and your Cloud Shell instance has a Ruby environment already configured. All you need to do is install the InSpec gem:
gem install inspec-bin --no-document --quietTip: Click the Copy to Cloud Shell button on the side of the code box and then hit Enter in your terminal. You can also click the copy button on the side of the code box and paste the command in the Cloud Shell terminal to run it.
Next, you’ll select a Google Cloud Project to scan with InSpec.
Pick a project where you have sufficient permissions. We'll use your user credentials in Cloud Shell to scan the project.
The project you selected is {{project-id}}. If this is blank, make sure you selected a project using the dropdown box above.
Hit Next after you successfully selected your project.
To scan your project against the CIS GKE Benchmark with InSpec, run:
CHEF_LICENSE=accept-no-persist inspec exec https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark.git -t gcp:// --input gcp_project_id={{project-id}}This should take about two minutes to complete.
Once complete, your terminal output should look something like this:
Profile Summary: 14 successful controls, 34 control failures, 7 controls skipped
Test Summary: 107 successful, 88 failures, 7 skipped
You can scroll up to see the details of passing and failing controls.
To scan another project, press the Previous button and select a different project.
Press Next if you're done scanning projects.
You’re all set!
You can now scan your Google Cloud Projects with InSpec directly from Cloud Shell.