Top 6 Kubernetes Security Tools
Introduction
While we have been running Kubernetes Security training for a while now, I realized that the Kubernetes community appears to be one of the most actively supported communities, aside from JavaScript and NodeJS (just an opinion). As a result, new tools, good, bad, and ugly are constantly being released around Kubernetes.Not surprisingly, Security Tools are in popular demand in the community. Partly, because:
- Kubernetes Security can be challenging to say the least and a series of rabbit holes that get increasingly complicated, to say the worst. It can be complex, even to Kube-Mavens
- The AdmissionController Resource in Kubernetes, especially with the ValidatingWebhook and MutatingWebhook resources, provides ample opportunities for people to build some really useful security integrations.
In this list, I will not be covering larger-scope tools like Vault, which is amazing with Kubernetes (and everything else), but more Kubernetes-only tools. Again, this is by no means, an exhaustive list. It's just stuff that we love and use often.
I am also only covering OSS tools. No commercial tools in this blogpost.
manifest mode, that allows kubeaudit to be used as a static analyzer against your Kubernetes YAML manifests.
cli and go to the library. KubeAudit can be used both as a CLI and a golang library, to encourage integrations, which is as far as I am concerned.
An auto-fix mode that allows you to check your manifests and create a more security-optimized version of the manifest. While I sometimes find this to be overkill, it certainly gives me good suggestions that I can selectively implement, for better security.
Here's a link to KubeAudit on Github
What wins out for Polaris is that it has a nice UI Dashboard that you can use to visualize the overall health of your Kubernetes cluster based on these checks.
In addition, you can leverage the Polaris CLI to perform CI/CD checks against a cluster and setup thresholds for failed builds, etc, which makes things quite useful from similar tools that you need to DIY to a large extent.
Here's a link to Polaris on Github
While Gatekeeper can be used similarly to Polaris, the onus of writing and maintaining policies is really on you (with Open-Policy-Agent in rego). However, OPA is really popular and you should be able to easily find and customize rules that others have composed to make them your own.
In addition, I really like the Audit functionality within Gatekeeper, which helps you build out a complete audit trail of the violation of the policy rules that have been used.
Here's a link to Gatekeeper on Github
Here's a link to Audit2RBAC on Github
The tool, like its orientation, is meant to identify AND exploit, so don't use this lightly, and more importantly, without authorization to do so.
Additionally, what I like about it (a little extra) is that it is one of the few Kubernetes tools that are written in python, and since my team largely consists of *py devs, it is easier for us to extend it if required in a client engagement.
Here's a link to Kube-Hunter on Github
I am also only covering OSS tools. No commercial tools in this blogpost.
KubeAudit
We love Shopify at we45 and KubeAudit is an awesome tool from Shopify's engineering team that comes with the familiar Shopify polish and user-friendliness. As the name suggests, KubeAudit gives you the features to audit and assess Kubernetes clusters for security flaws. It does a great job of uncovering some major security issues with clusters. It kept constantly updated and has added some very useful features including:manifest mode, that allows kubeaudit to be used as a static analyzer against your Kubernetes YAML manifests.
cli and go to the library. KubeAudit can be used both as a CLI and a golang library, to encourage integrations, which is as far as I am concerned.
An auto-fix mode that allows you to check your manifests and create a more security-optimized version of the manifest. While I sometimes find this to be overkill, it certainly gives me good suggestions that I can selectively implement, for better security.
Here's a link to KubeAudit on Github
Polaris
Polaris is a Policy-Management Tool for Kubernetes from Fairwinds. It works as a set of AdmissionControl checks that has rules for a set of security, networking and general best practices in a Kubernetes cluster and rejects resources that violate these rules. This is akin to PodSecurityPolicy, but unlike a PodSecurityPolicy, Polaris has simpler (and fewer) rules.What wins out for Polaris is that it has a nice UI Dashboard that you can use to visualize the overall health of your Kubernetes cluster based on these checks.
In addition, you can leverage the Polaris CLI to perform CI/CD checks against a cluster and setup thresholds for failed builds, etc, which makes things quite useful from similar tools that you need to DIY to a large extent.
Here's a link to Polaris on Github
Gatekeeper from Open Policy Agent
I have always loved Open Policy Agent. It's truly one of those frameworks that have incredible extensibility and malleability for a variety of operating environments including API, OS policy management, Container Runtime management.While Gatekeeper can be used similarly to Polaris, the onus of writing and maintaining policies is really on you (with Open-Policy-Agent in rego). However, OPA is really popular and you should be able to easily find and customize rules that others have composed to make them your own.
In addition, I really like the Audit functionality within Gatekeeper, which helps you build out a complete audit trail of the violation of the policy rules that have been used.
Here's a link to Gatekeeper on Github
Audit2RBAC
RBAC can be a giant PitA, especially when you want to really get the least privilege right. Audit2RBAC is a small utility that helps you identify the right RBAC Policy for your resources based on the Kubernetes audit log. It takes the Audit log as input and generates a reasonably good RBAC policy for the resources you're working with.Here's a link to Audit2RBAC on Github
Kube-Hunter
If you're a Pentester or Red-Teamer, this is a tool you don't want to miss. Kube-hunter is an offensive tool from Aquasec that helps you offensively explore Kubernetes clusters. It has a plethora of checks that you can use to identify and exploit vulnerabilities in your Kubernetes clusters, remotely or locally.The tool, like its orientation, is meant to identify AND exploit, so don't use this lightly, and more importantly, without authorization to do so.
Additionally, what I like about it (a little extra) is that it is one of the few Kubernetes tools that are written in python, and since my team largely consists of *py devs, it is easier for us to extend it if required in a client engagement.
Here's a link to Kube-Hunter on Github
Kube-Bench
Kube-bench is a handy utility that runs a series of benchmark tests based on the guidelines for Kubernetes security from the Center for Internet Security (CIS). It can be used to detect insecure, open default settings and improper user authentication and authorization, and to highlight insecure data in transit and at rest.Kube-bench, written as a Go application, is deployable as a container. Ready-made job.yaml files make it easy to run Kube-bench inside a Kubernetes cluster or on a managed Kubernetes service, such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or OpenShift.
Post a Comment