Kubernetes has become the de facto operating system of the cloud. Developers love K8s because Kubernetes makes it easy for developers to package their applications into portable microservices.
More than 90% of companies dealing with cloud and microservices orchestration are going towards Kubernetes. There are more than 24,441 companies that use Kubernetes.
Have you ever wondered if your container is really safe or has an open door?
Although Kubernetes provides various security measures out of the box with. There are often other reasons that these gaps in security can arise. Here are examples:
Configuration Misconfiguration: a recent study found that 70–75% of organizations have at least one serious AWS security misconfiguration.²
Kubernetes API Service: Tesla found this out when it put the dashboard that is part of its main Kubernetes API service online without authentication.³
However, Kubernetes has only the most basic security features. And it doesn’t cover all the checks that are provided at CIS “Center of Internet Security”⁴. Unfortunately, Kubernetes does not provide this level of protection when it comes to sophisticated security monitoring and compliance enforcement by administrators.
As shown in Figure-2, there are several ways an attacker could try to compromise your Kubernetes cluster and the applications running on it.
We will not look at all the reasons why Vulnerabilities Secrutity could occur in Kubernetes cluster in this article. That will be considered in other articles.
I have collected several useful scanners in my recent projects to find vulnerabilities and misconfigurations in K8S and would like to present them to you in this article.
1. Kube-bench
Kube-bench⁶ is a scanner that checks whether Kubernetes is implemented securely or not by using the CIS Kubernetes Benchmark implementation as accurately as possible. Kube-bench was awarded a 2018 InfoWorld Basic Award.⁷
This is written in GO and it will output pass, fail, or warning messages with the appropriate section of the CIS Kubernetes Benchmark for Lookup through the tests that the tool runs.
Quick start
you can run kube-bench:
inside a container:
docker run - pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest - version 1.18
inside a Kubernetes-Cluster:
The supplied job.yaml file can be applied to run the tests as a job.
kubectl apply -f https://github.com/aquasecurity/kube-bench/blob/main/job.yaml
inside the EKS Cluster:
-> aws ecr create-repository — repository-name k8s/kube-bench — image-tag-mutability MUTABLE-> kubectl apply -f https://github.com/aquasecurity/kube-bench/blob/main/job-eks.yaml
2. Kube-hunter
Kube-hunter⁸ as the name implies, it will hunt for security vulnerabilities in Kubernetes clusters. It is designed to increase awareness and visibility of security controls in Kubernetes environments. From outside the cluster, kube-hunter scans a domain or address range for open Kubernetes-related ports and tests for configuration issues that make your cluster vulnerable to attackers.
Quick start:
There are three different ways to run kube-hunter, each offering a different approach to discovering vulnerabilities in your cluster.
You can run kube-hunter:
On any machine, select remote scanning and specify the IP address or domain name of your Kubernetes cluster. This will give you an overview of your Kubernetes setup from an attacker’s perspective.
pip install kube-hunter
On a machine in the cluster
docker run -it — rm — network host aquasec/kube-hunter
In a pod within the cluster
kubectl create -f https://github.com/aquasecurity/kube-hunter/blob/main/job.yaml
3. Kubeaudit
Kubeaudit⁹ detects security misconfigurations in your Kubernetes resources and gives tips on how to fix them.
Kubeaudit comes with a large list of “auditors” that test various aspects, such as the SecurityContext of pods. The full list of auditors can be found at [10]:
Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various security aspects
Quick start:
You can install kubeaudit:
via Homebrew:
brew install kubeaudit
via Helm:
helm upgrade — install kubeaudit secureCodeBox/kubeaudit
4. Kube-scan
With Kube-scan¹¹ you can get the risk score of your workloads. Kube-scan gives a risk score from 0 (no risk) to 10 (high risk) for each workload. Kube-scan is designed to help you understand which of your workloads are most at risk and why, and allows you to prioritize updates to your pod security policy, pod definitions, and manifest files to keep your risk under control.
Quick start:
Kube-scan is a single pod deployment with a YAML file:
-> kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml-> kubectl port-forward — namespace kube-scan svc/kube-scan-ui 8080:80
and then you can start the: http://localhost:8080
5. Kubesec
Kubesec¹² is an open-source tool for assessing the security risk of Kubernetes workloads based on their YAML configuration.
Kubesec quantifies the risk to Kubernetes resources by validating the configuration files and manifest files used for Kubernetes deployments and operations.
Quick start:
Kubesec is available as:
Docker Container:
docker.io/kubesec/kubesec:v2 https://hub.docker.com/r/kubesec/kubesec/tags
Linux/MacOS/Win binary: https://github.com/controlplaneio/kubesec/releases
Kubernetes Admission Controller: https://github.com/controlplaneio/kubesec-webhook
Kubectl Plugin: https://github.com/controlplaneio/kubectl-kubesec
Example Command Line Usage:
kubesec scan k8s-deployment.yaml
6. Kube-score
Kube-score¹³ performs a static code analysis for all Kubernetes object definitions. The output is a list of recommendations on what you can improve to make your application more secure and resilient.
Quick start:
You can easy install kube-score via:
Docker: docker pull zegl/kube-score
Homebrew: brew install kube-score
Krew the plugin manager for kubectl command-line tool: kubectl krew install score
You can find here a full list of Checks
Example:
kube-score score my-app/*.yaml
7. KubiScan
KubiScan¹⁴ helps cluster administrators identify permissions that attackers could exploit to compromise clusters. KubiScan scans Kubernetes clusters for risky permissions in Kubernetes Role-based Access Control (RBAC) permission model. KubiScan can scan for pods that contain privileged service account tokens that can be abused for privilege escalation attacks or to compromise the cluster.
Quick start:
You install KubiScan via:
- alias kubiscan='python3 https://github.com/cyberark/KubiScan/blob/master/KubiScan.py to use kubiscan
Example:
Searching for pods with privileged account:
kubiscan -rp
Verifying that this account appears in the risky subjects list:
kubiscan -rs
Searching for all the rules this service account has:
kubiscan -aaes “risky-sa” -ns “default” -k “ServiceAccount”
8. Krane
Krane¹⁵ is a command line tool written in Ruby. Krane is a simple tool for static analysis of Kubernetes RBAC. It identifies potential security risks in K8’s RBAC design and makes suggestions on how to mitigate them. The Krane dashboard presents the current RBAC security posture and lets you navigate through the definition.
Quick start:
You can install Krane vie:
gem install krane
and then:
krane deploy <app’s namespace> <kube context>
9. Illuminatio
Illuminatio¹⁶ is a utility for automatically testing Kubernetes network policies. Simply run illuminatio clean run and illuminatio will scan your Kubernetes cluster for network policies, create appropriate test cases, and execute them to determine if the policies are in effect.
Quick start:
You can install illuminatio via:
pip3 install illuminatio
or Kubectl Plugin:
-> ln -s $(which illuminatio) /usr/local/bin/kubectl-illuminatio
-> kubectl plugin list — name-only | grep illuminatio
Test your newly created NetworkPolicy:
illuminatio clean run
10. Checkov
Checkov¹⁷ is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructures deployed with Terraform, Terraform Plan, Cloudformation, AWS SAM, Kubernetes, Dockerfile, Serverless, or ARM templates and detects security and compliance misconfigurations through graph-based scanning.
Quick start:
You can easy install Checkov via:
Python Package Manager:
pip3 install checkov
Homebrew:
brew install checkov
Run It:
checkov — directory /user/path/to/iac/code
Or a specific file or files
checkov --file /user/tf/example.tf
11. MKIT
Managed Kubernetes Inspection Tool (MKIT)¹⁸ is an acronym for Managed Kubernetes Inspection Tool.
MKIT is a Managed Kubernetes Inspection Tool that uses FOSS tools to query and inspect various common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running in the cluster.
MKIT supports the following managed Kubernetes providers:
- Azure Kubernetes Service (AKS).
- Amazon Elastic Kubernetes service (EKS)
- Google Kubernetes Engine (GKE)
Quick start:
Azure Kubernetes Service (AKS)
Export your Azure credentials as local environment variables. The following are required:
AZURE_CLIENT_IDAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_SUBSCRIPTION_ID
Run with the AKS option:
make run-aks resourcegroup=myResourceGroup clustername=my-aks-cluster-name
• Amazon Elastic Kubernetes Service (EKS)
Export your AWS credentials as local environment variables. The following are required:
AWS_PROFILEAWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
Run with the EKS option:
make run-eks awsregion=us-east-1 clustername=my-eks-cluster-name
• Google Kubernetes Engine (GKE)
Authenticate with your Google Cloud credentials
gcloud auth application-default login
Run with the GKE option (be sure to specify project-id and not project-name):
make run-gke project_id=my-project-id location=us-central1 clustername=my-gke-cluster-name
Run with the standalone Kubernetes option.
make run-k8s
Visit http://localhost:8000 to view the results of the scan.
12. Kubei
In a Kubernetes cluster, Kubei¹⁹ is used to analyze immediate threats. Most of Kubei is written in the Go programming language.
Kubei is a vulnerability scanning and CIS Docker benchmarking tool that allows users to get an accurate and immediate risk assessment of their Kubernetes clusters.
Quick start:
Kubei is also like Kube-scan has a signle pod deployment with a YAML file:
- Run the following command to deploy Kubei on the cluster:
Then, port forwarding into the Kubei webapp via the following command:
kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath=’{.items[0].metadata.name}’) 8080
In your browser, navigate to http://localhost:8080/view/ and then click ‘GO’ to run a scan.
To check the state of Kubei, and the progress of ongoing scans, run the following command:
kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath=’{.items[0].metadata.name}’)
Refresh the page (http://localhost:8080/view/) to update the results.
Which tool should you use?
It really depends on the use cases. One thing is for sure, you should look at these tools in depth and pick one or more scanners from them to ensure your existing use cases. Most of the tools offer a monitoring service, so there is an opportunity to integrate these metrics alongside your existing monitoring services. This way, when changes are made to containers, pods, Ingress and other Kubernetes configurations, vulnerabilities can always be monitored.
In general, you should not rely on the standard Kubernetes security, you have seen as with Tesla and other large projects, that very quickly can also go down the drain.
I hope I could lead a contribution in your Kubernetes Security world.
Resources
[1] Companies that use Kubernetes: https://bit.ly/3DUvBtU
[6] kube-bench: github.com/aquasecurity/kube-bench
[8] Kube-hunter: github.com/aquasecurity/kube-hunter
[9] Kubeaudit: github.com/Shopify/kubeaudit
[10] list of kubeaudit auditors: https://bit.ly/3m1pb6a
[11] Kube-scan: github.com/octarinesec/kube-scan
[12] Kubesec: kubesec.io & https://github.com/controlplaneio/kubesec
[13] Kube-score: https://github.com/zegl/kube-score
[14] KubiScan: https://github.com/cyberark/KubiScan
[15] Krane: https://github.com/Shopify/krane/
[16] Illuminatio: github.com/inovex/illuminatio
[17] Checkov: github.com/bridgecrewio/checkov
[18] MKIT: github.com/darkbitio/mkit
[19] Kubei: github.com/Portshift/kubei
Comments