With the rise of microservices and containers, orchestrating them with Kubernetes has become helpful for maximizing efficiency and cost savings. Yet, too often, Kubernetes suffers from security breaches due to security misconfigurations and over-permissive states.
OWASP, the IT security benchmarking group, provides a comprehensive cheat sheet of best practices for securing Kubernetes clusters. This includes advice such as controlling network access to sensitive ports, the Kubernetes API, and Kubelet and etcd; implementing role-based access control; and using transport-level security.
To identify these known vulnerabilities, OWASP also recommends the use of an image scanner. Thankfully, many free packages are available to scan Kubernetes clusters and pods for Common Vulnerabilities and Exposures (CVEs). These packages can be tested from the command line or could even be leveraged for continuous security vulnerability reporting.
Open source is very important for security, since sharing known vulnerabilities can help reduce risk across the IT industry. Compared with managed security tools, free-to-use open-source scanning tools are a low-commitment way to quickly incorporate security testing while avoiding vendor lock-in.
You may want to customize your scanner with industry-specific benchmarks or vendor-specific processes—open-source tools are easy to fork and adjust with your own internal security guidelines.
To help tighten your Kubernetes clusters and pods, these top open-source vulnerability scanners and tools can help determine if your final Kubernetes configuration is safe or presents a risk.
1. kube-bench
kube-bench is a handy utility that runs a series of benchmark tests based on the guidelines for Kubernetes security from the Center for Internet Security (CIS). It can be used to detect insecure, open default settings and improper user authentication and authorization, and to highlight insecure data in transit and at rest.
kube-bench, written as a Go application, is deployable as a container. Ready-made job.yaml files make it easy to run kube-bench inside a Kubernetes cluster or on a managed Kubernetes service, such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or OpenShift.
For example, this command runs kube-bench in AKS:
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench
After tests are run, kube-bench will indicate the status of the tests, with outputs including:
[PASS][FAIL][WARN][INFO] kube-bench is open-sourced by Aqua Security, which also developed an image scanner for containers called trivy.
2. kube-hunter
kube-hunter, another Aqua Security project, goes deeper to scan Kubernetes clusters and pods for additional weaknesses outside of the CIS database. As its name implies, kube-hunter uses more predatory—and potentially dangerous—tactics to really put your Kubernetes instances to the test.
When set to "active hunting" mode, kube-hunter will further exploit the vulnerabilities that arise with state-changing operations.
You can install kube-hunter with pip:
pip install kube-hunter
You can run kube-hunter within a local machine or cluster—it can be set to remote, interface, and network scanning. When run, kube-hunter will return a list of vulnerabilities, each with its own vulnerability ID. The kube-hunter knowledge base is an easy way to look up these issues; there are around 40. For example, vulnerability ID KHV038 is for exposed running pods:
"The kubelet is leaking information about running pods via the /runningpods endpoint. This endpoint is exposed as part of the kubelet’s debug handlers."
3. kube-score
kube-score performs a static code analysis of Kubernetes definitions, checking them against many security controls (defined here), each of which can be enabled or disabled. Since kube-score simply tests object definitions, this scanning method is non-intrusive and harmless. A big benefit of kube-score is its emphasis on human-readable error messages with helpful instructions for remediation, which could help you improve reliability and security.
Kube-score is also the only utility on this list that offers a free web-based UI to test your object definitions. Simply paste a definition YAML or JSON file at kube-score.com for a quick analysis.
Here are some example results:
[CRITICAL] Container Image Pull Policy
· foobar -> ImagePullPolicy is not set to Always
It's recommended to always set the ImagePullPolicy to Always, to make sure that the
imagePullSecrets are always correct, and to always get the image you want.
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what can communicate with this pod.
Note, this feature needs to be supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
4. kubeaudit
kubeaudit is a command-line tool, created by Shopify, that audits Kubernetes clusters against common security controls. Kubeaudit tests are called "auditors" and can be run together or independently. At the time of this writing, kubeaudit employs 14 auditors to assess whether containers allow privilege escalation, whether pods have insecure default settings, and whether containers without AppArmor are enabled, among other security settings.
Each auditor is well documented, with production examples and explanations for each best practice. Audit results are filterable by three security levels, which could help prioritize mission-critical issues and reduce noise. In general, kubeaudit offers a large number of configurability options and ample documentation.
kubeaudit can be installed with brew:
brew install kubeaudit
kubeaudit can be run quite easily as a kubectl plugin:
kubectl audit Or it can run as a job in your cluster using the Docker image:
shopify/kubeaudit Here is an example output, shown within the documentation:
$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: deployment-apps-v1
--------------------------------------------
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.
Metadata:
Container: container
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container
-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.
-- [error] CapabilityShouldDropAll
Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
Metadata:
Container: container
Capability: AUDIT_WRITE
...
5. Kube-Scan
Kube-Scan, by Octarine, is a risk assessment tool for Kubernetes. It scans Kubernetes clusters and responds with a simple number risk for each workload—0 being low risk and 10 being high risk.
Like other vulnerability scanners, Kube-Scan utilizes other guidelines to determine a risk factor. In this case, it follows the Kubernetes Common Configuration Scoring System (KCCSS), a framework that focuses on configurations and security settings. It considers confidentiality, availability, and integrity when assigning risk.
You can run Kube-Scan from the command line, but it also generates a sleek UI to display findings. Teams can also expand the KCCSS list with their own specific rules.
It's easy to get started with Kube-Scan:
kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml
kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80
6. Kubesec.io
Kubesec is a risk scanning tool for Kubernetes resources that uses the open-source controlplane. Kubesec takes a Kubernetes YAML manifest file and scans Kubernetes pods, deployments, and resources. It checks for weaknesses such as privileged capabilities, running images as a non-root, and other common risks. Kubesec provides a severity score for each vulnerability along with an overall tally. You can test a live Kubesec demo here.
Here is an example output:
[
{
"object": "Pod/security-context-demo.default",
"valid": true,
"message": "Failed with a score of -30 points",
"score": -30,
"scoring": {
"critical": [
{
"selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN",
"reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided",
"points": -30
}
],
"advise": [
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"points": 1
},
{
// ...
}
]
}
}
]
7. KubiScan
If you're seeking better visibility into how your Kubernetes environment handles role-based access control (RBAC), check out KubiScan, a simple yet powerful command-line utility solely focused on identifying risky permissions and roles.
For example, with the command kubiscan rp you can easily search for pods with privileged accounts. From there, you could invoke other commands to search for rules or role bindings associated with specific accounts.
The way Kubernetes is constructed, the RBAC system could be manipulated if security is misconfigured. Thus, a tool like KubiScan could help identify risky pods and help debug and diagnose cluster problems.
8. krane
krane is another tool for auditing Kubernetes RBAC and spotting potential security risks. It follows built-in RBAC risk rules and analyzes roles, role bindings, cluster roles, and cluster role bindings for weaknesses.
You can run krane from a command-line interface or a Docker container. For viewing results, krane provides machine-readable reporting, a dashboard UI, as well as integration with Slack. A Slack connection is a nice perk, letting you input high-severity alerts right into your chat workflows, also known as ChatOps.
Honorable mentions
In addition to the eight most popular open-source packages for automated Kubernetes security auditing discussed above, these runner-ups could certainly be of help:
- red-kube: Contains a cheat sheet of KubeCTL commands—helpful to see how hacks such as secrets bypass, ingress takeover, or unauthorized pod data access could be accomplished.
- kubestriker: Checks Kubernetes security misconfigurations.
- k8s-security-dashboard: Monitors Kubernetes through a tool called K8sCop.
- container-security-operator: Helps identify image vulnerabilities in Kubernetes pods.
- illuminatio: Tests Kubernetes network policies.
- audit2rbac: Auto-generates RBAC policies based on Kubernetes audit logs.
In addition to Kubernetes auditing, other strategies could help you improve your overall security posture. For example, automated analysis could be applied directly to containers. Some open-source tools for container security include Anchore, Clair, and Docker Bench.
Project Calico is another open-source project; it's a networking and security layer interoperable with Kubernetes.
Another strategy picking up steam is the service mesh. A service mesh aims to provide a common networking and policy enforcement layer across microservices ecosystems. Of the nine major service meshes on the market, a few to consider include Istio, Kuma, and Linkerd.
How to choose
There are many open-source Kubernetes vulnerability scanners out there, so how do you choose? Well, to scan Kubernetes against a set of benchmarks from the Center for Internet Security, try kube-bench; it is also the most widely adopted option. Kubesec is another comparable alternative.
Like kube-bench, nearly all these tools sit in the command line and require simple commands to run. However, if you are seeking visual UI for increased usability, consider Kube-Scan; this tool is also helpful if you're looking for numbered scores for your security configurations that follow the Common Vulnerability Scoring System (CVSS) scoring system.
Security analysis can generate a lot of noise and false positives. If your team desires flexibility to isolate and run tests independently to pinpoint certain areas, consider kubeaudit.
If you're looking for the most actionable advice for remediation, kube-score and kube-hunter stand out. Both have nicely structured vulnerability databases with actional advice.
For RBAC analysis, consider KubiScan for easy navigation into your pod and cluster accounts and roles. Or, if you're seeking alert integration with chat, use krane for its Slack integration. Both options can help track if your role-based access model is sufficient.
Your choice of tool may also depend on whether you want passive or active testing. Nearly all the Kubernetes scanning tools above are static and shouldn't cause any detrimental harm. However, if you're looking for more active testing, consider kube-hunter—its active mode can test the implications of your vulnerabilities.
Your goal: Zero high-risk vulnerabilities found
Kubernetes use is on the rise. Some 48% of large development teams now implement it, according to a recent VMware report. Of those respondents, 95% see clear benefits. Now production-tested, DevSecOps engineers must secure this popular container orchestrator against surmounting risks.
The tools above can help your teams get a little closer to identifying and rectifying security misconfigurations. And in time, perhaps you'll slim those scan results down to one beautiful phrase: "All checks completed—0 high-risk vulnerabilities found."
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
