Kubernetes is an open-source container orchestration system that automates the management, scaling, and deployment of applications. The Cloud Native Computing Foundation now maintains it after Google originally designed it.
In a nutshell, Docker is a platform for containerization, and Kubernetes is a tool for container orchestration. AWS EKS, Azure AKS, and Google CKE are a few of the most well-known Kubernetes clusters run by cloud providers. The various open-source tools for security auditing, hardening Kubernetes clusters, and implementing runtime security will be covered in the sections below.
1. Kube Hunter
Aquasec is the company behind Kube Hunter. The code for Kube-Hunter is open source and a containerized version, making it simple to run. When used with the kube-hunter website, the containerized version makes it simple to view the results and share them with your team. The tool is simple to use; all that is required is an IP address before the automation can begin to produce results. Enter your email address on the kube-hunter website, and you’ll receive a Docker command with a token to execute. You will be prompted for the address of the cluster to test against when you copy and run that command anywhere Docker is installed. After the tests run you’ll see a unique URL (associated with that token) for viewing the results, which you can send to anyone else who needs to see the results.
2. Kubestriker: A Blazing fast security auditing tool for Kubernetes
In order to discover the security issues and difficulties that #DevOps engineers and developers may run into while utilizing Kubernetes, especially in production and at scale, Kubestriker conducts a number of in-depth tests on the Kubernetes infrastructure.
Features:
- Examines self-managed and cloud provider-managed infrastructure for Kubernetes
- Checks during the reconnaissance phase for different services or open ports
- Runs automatic checks to see if any insecure, read-only, or read-write services are active.
- Executes authorized and unauthenticated scans.
- Checking the cluster for a variety of IAM (Identity Access Management) misconfigurations
- Checks for a variety of incorrectly constructed containers
- Checks for a variety of incorrect pod security policies
- Checks for a variety of incorrect network policies
- Checks a subject’s cluster rights; 10. Executes instructions on the containers and sends back the results
- Provides the mis-configured services’ endpoints
- Offers potential information about privilege escalation
- Comprehensive report with thorough justification
3. Kdigger
Kdigger is a context discovery tool for Kubernetes penetration testing, which stands for “Kubernetes digger.” To make it easier to pentest Kubernetes from inside a pod, this tool consists of a collection of different plugins called buckets. Following are the capabilities of kdigger.
- Guess the runtime of your container.
- Consider your strengths.
- Check for namespace configuration and activation.
- Check for the permitted syscalls.
- Token for the service account, retrieve.
- Check the token’s permissions.
- enumerate some intriguing environmental factors.
- List the devices that are available.
- Get a list of all the services a cluster has to offer.
- Examine the chain of admission controllers!
Link: https://github.com/quarkslab/kdigger
4. Kubeaudit
Kubeaudit, an open source tool created by Shopify, examines Kubernetes implementations. Manifest, cluster, and local are the three operating modes that Kubeaudit supports. It distinguishes itself from rivals by having the ability to auto fix the manifest. On a local system, kubeaudit will by default attempt to connect to the Kubernetes cluster by retrieving information from the $HOME/.kube/config file. Kubeaudit also includes a variety of auditing profiles, such as apparmor, capabilities, limits, privileged, rootfs, seccomp, netpols, and asat.
Some of the features of kubeaudit are:
- Run as a non-root user
- use a read-only root filesystem
- disable any ominous capabilities
- avoid running in privileged mode.
Link: https://github.com/Shopify/kubeaudit
5. Kube-bench
The CIS Kubernetes Benchmark, which includes a list of Kubernetes security best practices, is used by Kube-bench, an open source program, to determine if Kubernetes is deployed properly. As a result, kube-bench works well when simply CIS benchmarking scanning is necessary.
Kube-bench may be used inside of a pod. There are cloud-specific job-cloud provider> files in the GitHub repository .yaml files, and depending on the version of Kubernetes installed on the computer, kube-bench will automatically choose which test set to execute.
Link: https://github.com/aquasecurity/kube-bench
6. Kubescape
An open source program called Kubescape verifies that Kubernetes is being deployed in conformance with DevSecOps best practices and nearly all major compliance frameworks, such as the NSA-CISA and MITRE ATT&CK®. Additionally, Kubescape may be incorporated with CI technologies.
Link: https://github.com/armosec/kubescape
7. Sysdig Falco
An open source runtime security tool called Sysdig Falco is used by Kubernetes clusters to continuously detect risks and threats. The device functions as a security camera that constantly recognizes unusual behavior, configuration changes, invasions, and data theft in real time. Currently, Sysdig Falco is the only open source product for Kubernetes runtime security that has received CNCF approval.
Falco lets you create your own plugins and includes all the key features offered by its commercial rivals. Falco uses drivers like a kernel module or an eBPF probe to ingest the raw stream of system call information. On Kubernetes Nodes, Falco may be launched as a daemonset, allowing it to track and provide real-time security alerts in JSON format through stdout, HTTP hooks, and syslog.
Link: https://github.com/falcosecurity/falco
8. Clair
Clair is a free tool for checking containers for vulnerabilities. The program may be used in a variety of deployment scenarios, although high scalability and availability are its ideal uses. Clair offers HTML scan reports and REST API capabilities. The Amazon Elastic Container Registry (Amazon ECR) compiles a list of discoveries using the Clair project’s CVEs database.
