Looking to validate the security of your Kubernetes environments?
In this page we have gathered a series of tools to analyze:
The security of your Kubernetes clusters
The best practices and misconfigurations of your Kubernetes Deployment codes
The presence of secrets in your code
The security level of the container image
There are plenty of tools out there but we focus on Open Source tools that have a good reputation or a high score on Github.
Here we will not provide detailed user or installation guides. The aim is to centralise a list of tools that may be useful to you.
Kubernetes Security and Compliance Tools
Kubescape
An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters
Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK® and the CIS Benchmark).
Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
kubescape scan --enable-host-scan --verbose
Kube-hunter
kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!
Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
Remote scanning, the attackers-eye-view :
kube-hunter --remote mycluster.mydomain.com
kube-hunter --remote 195.12.11.10
Scan from the local subnet:
kube-hunter --interface
kube-hunter --cidr 192.168.1.0/24
kube-hunter --k8s-auto-discover-nodes --kubeconfig ~/.kube/config
Output example
Kube-bench
kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
The tool is really easy to use and do not have plenty of options. It simply gives you the result of the analysis as long as it has access to the cluster
export KUBECONFIG=~/.kube/config
kube-bench
kube-bench --unscored=false
Output example
Sonobuoy
Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of plugins (including Kubernetes conformance tests) in an accessible and non-destructive manner. It is a customizable, extendable, and cluster-agnostic way to generate clear, informative reports about your cluster.
This comprehensive tool performs a thorough analysis of your Kubernetes clusters and outputs a report as an archive. The review of a cluster can take from 30 to 60 minutes depending on your environment. Sonobuoy runs conformance tests in an accessible and non-destructive manner.
Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
sonobuoy run --wait --mode quick
sonobuoy run --wait
sonobuoy run --kube-conformance-image gcr.io/google-containers/conformance:v1.16.8
results=$(sonobuoy retrieve)
sonobuoy results $results
sonobuoy delete --wait
Kubernetes Deployment Codes Analysis
Kubesec
Kubesec is a Security risk analysis tool for Kubernetes resources. It scan .yaml file and compares the content against good security practices.
By default it only allows scanning one file at a time. To scan a whole directory you have to use the find command and specify the appropriate file suffix. Either .yaml or .yml depending on your habits
kubesec scan deployment.yaml
find . -name '*.yaml' -exec kubesec scan {} \;
Output example
Kube-linter
KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
In the command examples below we will use the guestbook application from the kubernetes repository. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
git clone https://github.com/kubernetes/examples.git
kube-linter lint examples/guestbook/
kube-linter lint -v --add-all-built-in examples/guestbook/
kube-linter lint --format=json examples/guestbook/
kube-linter checks list
Output example
Terrascan
Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
Seamlessly scan infrastructure as code for misconfigurations.
Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
Detect security vulnerabilities and compliance violations.
Mitigate risks before provisioning cloud native infrastructure.
Offers flexibility to run locally or integrate with your CI\CD.
Again we will use the guestbook application from the kubernetes repository to try this tool.
Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
git clone https://github.com/kubernetes/examples.git
terrascan scan --iac-dir examples/guestbook/ -i k8s
terrascan scan --iac-dir examples/guestbook/ --show-passed --output json -i k8s
terrascan scan --iac-dir examples/charts/hello-world/ -i helm
terrascan scan --iac-dir examples/charts/hello-world/ --show-passed -i helm
Output example
K8sGPT
k8sgpt is a tool for scanning your kubernetes clusters, diagnosing and triaging issues in simple english. It has SRE experience codified into it’s analyzers and helps to pull out the most relevant information to enrich it with AI.
k8sgpt on GitHub : https://github.com/k8sgpt-ai
k8sgpt official : https://k8sgpt.ai/
Reveal Secrets in codes
Gitleaks
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
Gitleaks can be used as an on-demand analysis tool or it can be implemented as a pre-commit hook directly in your repo. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
git clone https://github.com/gitleakstest/gronit
gitleaks --repo-url=https://github.com/gitleakstest/gronit -v
gitleaks --repo-url=https://github.com/gitleakstest/gronit --redact
gitleaks --repo-url=https://github.com/jmutai/dotfiles --report=gitleaks_results.csv
gitleaks detect -v -s /gronit/ --report=gitleaks_results.json
Output example
Whispers
Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
git clone https://github.com/gitleakstest/gronit
curl -L https://raw.githubusercontent.com/Skyscanner/whispers/master/whispers/config.yml -o whispers_config.yml
whispers /gronit/
whispers --config whispers_config.yml /gronit/ --output secrets.yml
whispers --config whispers_config.yml /gronit/ --severity CRITICAL
Output example
Detect-secrets
detect-secrets is an aptly named module for detecting secrets within a code base.
However, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a backwards compatible, systematic means of:
Preventing new secrets from entering the code base,
Detecting if such preventions are explicitly bypassed, and
Providing a checklist of secrets to roll, and migrate off to a more secure storage.
Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.
git clone https://github.com/kubernetes/examples.git && cd examples
detect-secrets scan --all-files --force-use-all-plugins
detect-secrets scan > .secrets.baseline
Output example
Containers image scan
Trivy
Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. Trivy also scans hardcoded secrets like passwords, API keys and tokens. Trivy is easy to use. Just install the binary and you're ready to scan.
trivy image ubuntu:latest
git clone https://github.com/kubernetes/examples.git
trivy fs --security-checks vuln,secret,config examples/
trivy config examples/
Output example
Trivy is also able to scan your Kubernetes cluster for both Vulnerabilities and Misconfigurations.
trivy k8s --report=summary
trivy k8s --report=all
trivy k8s --severity=CRITICAL --report=all
trivy k8s -n kube-system --report=summary
trivy k8s deployment/appname
trivy k8s --format json -o results.json
Output example
Now you have a toolbox to ensure the security of your environments. Of course, you have to choose the right tools for your needs. Good luck with the mitigations!
Feel free to comment this article if you have questions.