My entire months of June and July have been consumed by Kubernetes. All, largely owing to the Kubernetes Security Masterclass Training that are we are bringing to BlackHat USA 2020 👍🎉(you should register if you haven't already). And while we have been running Kubernetes Security trainings for a while now, I realized that the Kubernetes community appears to be one of the most actively supported communities, aside from JavaScript and NodeJS (just an opinion). As a result, new tools, good, bad and ugly are constantly being released around Kubernetes.

Not surprisingly, Security Tools are in popular demand in the community. Partly, because:

  1. Kubernetes Security can be challenging to say the least and a series of rabbit-holes that get increasingly complicated, to say the worst. It can be complex, even to Kube-Mavens
  2. The AdmissionController Resource in Kubernetes, especially with the ValidatingWebhook and MutatingWebhook resources, provides ample opportunities for people to build some really useful security integrations.

Over the last couple of years, we at we45 have looked at some useful Kubernetes Security tools, that we:

  • Either use for Audits and Assessments
  • And/OR for training, when we train folks on Kubernetes Security and run our deep-dive sessions for Kubernetes

In this list, I will not be covering larger-scope tools like Vault, which is amazing with Kubernetes (and everything else), but more Kubernetes-only tools. Again, this is by no means, an exhaustive list. Its just stuff that we love and use often.

I am also only covering OSS tools. No commercial tools in this blogpost.

KubeAudit

We love Shopify at we45 and KubeAudit is an awesome tool from Shopify's engineering team that comes with the familiar Shopify polish and user-friendliness. As the name suggests, KubeAudit gives you the features to audit and assess Kubernetes clusters for security flaws. It does a great job in uncovering some major security issues with clusters. Its kept constantly updated and has added some very useful features including:

  • manifest mode, that allows kubeaudit to be used as a static analyzer against your Kubernetes YAML manifests.
  • cli and go library. KubeAudit can be used both as a CLI and a golang library, to encourage integrations, which is 👍 as far as I am concerned.
  • An autofix mode that allows you to check your manifests and create a more security-optimized version of the manifest. While I sometimes find this to be overkill, it certainly gives me good suggestions that I can selectively implement , for better security.

Here's a link to KubeAudit on Github

Polaris

Polaris is a Policy-Management Tool for Kubernetes from Fairwinds. It works as a set of AdmissionControl checks that has rules for a set of security, networking and general best practices in a Kubernetes cluster and rejects resources that violate these rules. This is akin to PodSecurityPolicy, but unlike a PodSecurityPolicy, Polaris has simpler (and fewer) rules.

What wins out for Polaris is that it has a nice UI Dashboard that you can use to visualize the overall health of your Kubernetes cluster based on these checks.

In addition, you can leverage the Polaris CLI to perform CI/CD checks against a cluster and setup thresholds for failed builds, etc, which makes things quite useful from similar tools that you need to DIY to a large extent.

Here's a link to Polaris on Github

Gatekeeper from Open Policy Agent

I have always loved Open Policy Agent. Its truly one of those frameworks that has incredible extensibility and malleability for a variety of operating environments including: API, OS policy management, Container Runtime management.

While Gatekeeper can be used similarly as Polaris, the onus of writing and maintaining policies is really on you (with Open-Policy-Agent in rego). However, OPA is really popular and you should be able to easily find and customize rules that others have composed to make them your own.

In addition, I really like the Audit functionality within Gatekeeper, that helps you build out complete audit trail of the violation of the policy rules that have been used.

Here's a link to Gatekeeper on Github

Audit2RBAC

RBAC can be a giant PitA, especially when you want to really get least-privilege right. Audit2RBAC is a small utility that helps you identify the right RBAC Policy for your resources based on the Kubernetes audit log. It takes the Audit log as input and generates a reasonably good RBAC policy for the resources you're working with.

Here's a link to Audit2RBAC on Github

Kube-Hunter

If you're a Pentester or Red-Teamer, this is a tool you don't want to miss. Kube-hunter is an offensive tool from Aquasec that helps you offensively explore Kubernetes clusters. It has a plethora of checks that you can use to identify and exploit vulnerabilities in your Kubernetes clusters, remotely or locally.

The tool, like its orientation is meant to identify AND exploit, so don't use this lightly, and more importantly, without authorization to do so.

Additionally, what I like about it (a little extra) is that its one of the few Kubernetes tools that is written in python and since my team largely consists of *py devs, its easier for us to extend it if required in a client-engagement.

Here's a link to Kube-Hunter on Github

Do you have any other tools for Kubernetes Security that you love? Let me know Ill be happy to look at it and experiment with it.

If you're looking for awesome Kubernetes Security Training, drop us a line here or you can attend our upcoming class at BlackHat USA 2020, "Kubernetes Security Masterclass"

In addition, if you want a Kubernetes-focused Security Assessment, Audit or Pentest, write to us here and we can definitely help you out with your needs.