If you’re looking for a role in cyber security, be sure to apply for Upward Spiral or checkout what we’re about.

What is Kubernetes

Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation.

Cloud Native Computing Foundation (CNCF) is a vendor-neutral home for many of the fastest-growing open source projects.

Kubernetes enables higher-velocity software development at a lower cost than traditional infrastructure. Cloud native — orchestrating containers as part of a microservices architecture — is a departure from traditional application design.

Kubernetes is a very popular container orchestration system. It became one of the fastest-growing projects in the history of open-source and forms a significant portion of many organisation’s compute stack.

With the benefits of Kubernetes, it introduces new security challenges and - given the nature of how essential Kubernetes has become for many organisations - requires constant attention to manage numerous security uncertainties that eventuate in containerised environments.

Introduction

Kubernetes is incredibly popular as a tool. As a result, new tools are constantly being released around Kubernetes. Both the OpenSource and commercial flavours. Some time ago I read an article on security tools to support Kubernetes implementations and felt it important to provide an updated take as the tools have continued to develop.

These tools are commonplace, for two obvious reasons:

  • Kubernetes is a challenging beast even for experienced practitioners; and
  • The AdmissionController Resource in Kubernetes (K8) with the ValidatingWebhook and MutatingWebhook resources, makes it possible to build valuable security integrations for K8.

This is by no means a comprehensive list of all K8 security tools, but a list of some of the best OpenSource tools available.

Audit2RBAC

Audit2RBAC is a small utility that helps you identify the right role-based access control (RBAC) Policy for your resources based on the K8 audit log. It takes the Audit log as input and generates a reasonably good RBAC policy for the resources you're working with.

Audit2RBAC can be somewhat fiddly as you pursue greater granularity and control of privilege.

Here is a link to Audit2RBAC on Github

KubeAudit

The team at Shopify have built this tool and it comes with the glitz you expect of an engineering team that built the best online sales interface. KubeAudit is a suite of features that allows you to assess and audit K8 clusters for security flaws.

KubeAudit is exceptional at uncovering major and minor security issues in clusters.

KubeAudit can be used both as a CLI and golang library, to encourage integrations which allows you to check your manifests and creates a more security-optimized version of the manifest. Often it sets a bar far higher than you’re willing to maintain, but it does a great job providing you with ample opportunity to implement change for better security.

The community keeps Kubeaudit constantly updated and continues to add features. Manifest mode, for instance, allows KubeAudit to be used as a static analyzer against K8 YAML manifests.cli.

Here is a link to KubeAudit on Github

Kube-Bench

Kube-bench is a Go application and deployable as a container. Pre-made job.yaml files are designed to help run Kube-bench in a K8 cluster or on a managed K8 service (Azure K8 (AKS), etc). It is easy to implement and use.

Kube-bench runs a series of benchmarking tests based on the guidelines for K8 security from the Center for Internet Security (CIS). It is used to detect insecure, open default settings and improper user authentication and authorization, and highlight insecure data in transit and at rest.

Here is a link to Kube-bench on Github

Kube-Hunter

Kube-hunter is an offensive tool (written in python, which is very handy) from Aquasec that helps you offensively explore K8 clusters. If you’re a Pentester, Red-Teamer or other, this is a tool you can’t do without. It has just about everything you might need to identify and exploit vulnerabilities in your K8 clusters, remotely or locally.

The tool, like its orientation, is meant to identify and exploit. In many instances, a great tool for read-teaming yourself some success in K8 hosted CTFs (If we get enough feedback, I might write up how to do this).

Here is a link to Kube-Hunter on Github

Polaris

Polaris is a Policy-Management Tool for Kubernetes from Fairwinds. It’s basically a series of AdmissionControl checks that apply rules for a set of security, networking and general best practices in a K8 cluster. It rejects resources that violate these rules. It’s not complex but highly valuable.

This is akin to PodSecurityPolicy, but unlike a PodSecurityPolicy, Polaris has a more user-friendly rules approach. It also has a much nicer user interface for visualising the overall health of the K8 cluster based on the checks.

Finally, it can be leveraged to perform CI/CD checks against a cluster and setup thresholds for failed builds. Automating a lot of the QA work you will otherwise be doing manually.

Here is a link to Polaris on Github.

Vault by Hashicorp

When you’re starting to learn and using Kubernetes for the first time you discover that there is this special object called Secret that is designed for storing various kinds of confidential data. However, when you find out it is very similar to ConfigMap object and is not encrypted (it can be optionally encrypted at rest) you realise it isn’t super secure.

On top of that, managing these Secret object definitions (e.g. yaml files) is not a fun or easy task.

This is what Vault is for. It is a project designed to help you store and securely access your confidential data. It is designed for this purpose only and has many excellent features, many of which are specific for K8 environments.

Here is a link to Vault in Github.

If you’re looking for a role in cyber security, be sure to apply for Upward Spiral or checkout what we’re about.

Guest Author 11/25/2021