Kubernetes, Containers and Code Security Tools

Kubernetes, Containers and Code Security Tools

Looking to validate the security of your Kubernetes environments?

In this page we have gathered a series of tools to analyze:

  • The security of your Kubernetes clusters

  • The best practices and misconfigurations of your Kubernetes Deployment codes

  • The presence of secrets in your code

  • The security level of the container image

There are plenty of tools out there but we focus on Open Source tools that have a good reputation or a high score on Github.

Here we will not provide detailed user or installation guides. The aim is to centralise a list of tools that may be useful to you.

Kubernetes Security and Compliance Tools

Kubescape

An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters

Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.

Kubescape scans clusters, YAML files, and Helm charts. It detects misconfigurations according to multiple frameworks (including NSA-CISA, MITRE ATT&CK® and the CIS Benchmark).

Kubescape was created by ARMO and is a Cloud Native Computing Foundation (CNCF) sandbox project

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
kubescape scan --enable-host-scan  --verbose

kubescape by Armo

kubescape on GitHub

Kube-hunter

kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!

Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

Remote scanning, the attackers-eye-view :

kube-hunter --remote mycluster.mydomain.com
kube-hunter --remote 195.12.11.10

Scan from the local subnet:

kube-hunter --interface
kube-hunter --cidr 192.168.1.0/24
kube-hunter --k8s-auto-discover-nodes --kubeconfig ~/.kube/config

Output example

grafik.png

Kube-bench

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

The tool is really easy to use and do not have plenty of options. It simply gives you the result of the analysis as long as it has access to the cluster

export KUBECONFIG=~/.kube/config
kube-bench
kube-bench --unscored=false

Output example

grafik.png

Sonobuoy

Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of plugins (including Kubernetes conformance tests) in an accessible and non-destructive manner. It is a customizable, extendable, and cluster-agnostic way to generate clear, informative reports about your cluster.

This comprehensive tool performs a thorough analysis of your Kubernetes clusters and outputs a report as an archive. The review of a cluster can take from 30 to 60 minutes depending on your environment. Sonobuoy runs conformance tests in an accessible and non-destructive manner.

Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

sonobuoy run --wait --mode quick
sonobuoy run --wait
sonobuoy run --kube-conformance-image gcr.io/google-containers/conformance:v1.16.8
results=$(sonobuoy retrieve)
sonobuoy results $results
sonobuoy delete --wait

Kubernetes Deployment Codes Analysis

Kubesec

Kubesec is a Security risk analysis tool for Kubernetes resources. It scan .yaml file and compares the content against good security practices.

By default it only allows scanning one file at a time. To scan a whole directory you have to use the find command and specify the appropriate file suffix. Either .yaml or .yml depending on your habits

kubesec scan deployment.yaml
find . -name '*.yaml' -exec kubesec scan {} \;

Output example

grafik.png

Kube-linter

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.

In the command examples below we will use the guestbook application from the kubernetes repository. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

git clone  https://github.com/kubernetes/examples.git
kube-linter lint examples/guestbook/
kube-linter lint -v --add-all-built-in examples/guestbook/
kube-linter lint --format=json examples/guestbook/
kube-linter checks list

Output example

grafik.png

Terrascan

Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:

  • Seamlessly scan infrastructure as code for misconfigurations.

  • Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.

  • Detect security vulnerabilities and compliance violations.

  • Mitigate risks before provisioning cloud native infrastructure.

  • Offers flexibility to run locally or integrate with your CI\CD.

Again we will use the guestbook application from the kubernetes repository to try this tool.

Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

git clone  https://github.com/kubernetes/examples.git
terrascan scan --iac-dir examples/guestbook/ -i k8s
terrascan scan --iac-dir examples/guestbook/ --show-passed --output json -i k8s
terrascan scan --iac-dir examples/charts/hello-world/ -i helm
terrascan scan --iac-dir examples/charts/hello-world/ --show-passed -i helm

Output example

image.png

K8sGPT

k8sgpt is a tool for scanning your kubernetes clusters, diagnosing and triaging issues in simple english. It has SRE experience codified into it’s analyzers and helps to pull out the most relevant information to enrich it with AI.

Reveal Secrets in codes

Gitleaks

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.

Gitleaks can be used as an on-demand analysis tool or it can be implemented as a pre-commit hook directly in your repo. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

git clone  https://github.com/gitleakstest/gronit
gitleaks --repo-url=https://github.com/gitleakstest/gronit -v
gitleaks --repo-url=https://github.com/gitleakstest/gronit --redact
gitleaks --repo-url=https://github.com/jmutai/dotfiles --report=gitleaks_results.csv
gitleaks detect -v -s /gronit/ --report=gitleaks_results.json

Output example

image.png

Whispers

Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline. Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

git clone  https://github.com/gitleakstest/gronit
curl -L  https://raw.githubusercontent.com/Skyscanner/whispers/master/whispers/config.yml -o whispers_config.yml
whispers  /gronit/
whispers --config whispers_config.yml /gronit/ --output secrets.yml
whispers --config whispers_config.yml /gronit/ --severity CRITICAL

Output example

image.png

Detect-secrets

detect-secrets is an aptly named module for detecting secrets within a code base.

However, unlike other similar packages that solely focus on finding secrets, this package is designed with the enterprise client in mind: providing a backwards compatible, systematic means of:

  • Preventing new secrets from entering the code base,

  • Detecting if such preventions are explicitly bypassed, and

  • Providing a checklist of secrets to roll, and migrate off to a more secure storage.

Below you will find examples of how to use them. The commands do not have to be executed in order, they are only examples of use.

git clone  https://github.com/kubernetes/examples.git && cd examples
detect-secrets scan --all-files --force-use-all-plugins
detect-secrets scan > .secrets.baseline

Output example

image.png

Containers image scan

Trivy

Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). In addition, Trivy scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack. Trivy also scans hardcoded secrets like passwords, API keys and tokens. Trivy is easy to use. Just install the binary and you're ready to scan.

trivy image ubuntu:latest
git clone  https://github.com/kubernetes/examples.git
trivy fs --security-checks vuln,secret,config examples/
trivy config examples/

Output example

image.png

Trivy is also able to scan your Kubernetes cluster for both Vulnerabilities and Misconfigurations.

trivy k8s --report=summary
trivy k8s --report=all
trivy k8s --severity=CRITICAL --report=all
trivy k8s -n kube-system --report=summary
trivy k8s deployment/appname
trivy k8s --format json -o results.json

Output example

image.png

Now you have a toolbox to ensure the security of your environments. Of course, you have to choose the right tools for your needs. Good luck with the mitigations!

Feel free to comment this article if you have questions.

cisel.ch