Not surprisingly, Security Tools are in popular demand in the community. Partly, because:
- Kubernetes Security can be challenging to say the least and a series of rabbit-holes that get increasingly complicated, to say the worst. It can be complex, even to Kube-Mavens
AdmissionControllerResource in Kubernetes, especially with the
MutatingWebhookresources, provides ample opportunities for people to build some really useful security integrations.
Over the last couple of years, we at we45 have looked at some useful Kubernetes Security tools, that we:
- Either use for Audits and Assessments
- And/OR for training, when we train folks on Kubernetes Security and run our deep-dive sessions for Kubernetes
In this list, I will not be covering larger-scope tools like Vault, which is amazing with Kubernetes (and everything else), but more Kubernetes-only tools. Again, this is by no means, an exhaustive list. Its just stuff that we love and use often.
I am also only covering OSS tools. No commercial tools in this blogpost.
We love Shopify at we45 and KubeAudit is an awesome tool from Shopify's engineering team that comes with the familiar Shopify polish and user-friendliness. As the name suggests, KubeAudit gives you the features to audit and assess Kubernetes clusters for security flaws. It does a great job in uncovering some major security issues with clusters. Its kept constantly updated and has added some very useful features including:
manifestmode, that allows kubeaudit to be used as a static analyzer against your Kubernetes YAML manifests.
golibrary. KubeAudit can be used both as a CLI and a golang library, to encourage integrations, which is 👍 as far as I am concerned.
autofixmode that allows you to check your manifests and create a more security-optimized version of the manifest. While I sometimes find this to be overkill, it certainly gives me good suggestions that I can selectively implement , for better security.
Polaris is a Policy-Management Tool for Kubernetes from Fairwinds. It works as a set of AdmissionControl checks that has rules for a set of security, networking and general best practices in a Kubernetes cluster and rejects resources that violate these rules. This is akin to
PodSecurityPolicy, but unlike a PodSecurityPolicy, Polaris has simpler (and fewer) rules.
What wins out for Polaris is that it has a nice UI Dashboard that you can use to visualize the overall health of your Kubernetes cluster based on these checks.
In addition, you can leverage the Polaris CLI to perform CI/CD checks against a cluster and setup thresholds for failed builds, etc, which makes things quite useful from similar tools that you need to DIY to a large extent.
Gatekeeper from Open Policy Agent
I have always loved Open Policy Agent. Its truly one of those frameworks that has incredible extensibility and malleability for a variety of operating environments including: API, OS policy management, Container Runtime management.
While Gatekeeper can be used similarly as Polaris, the onus of writing and maintaining policies is really on you (with Open-Policy-Agent in
rego). However, OPA is really popular and you should be able to easily find and customize rules that others have composed to make them your own.
In addition, I really like the Audit functionality within Gatekeeper, that helps you build out complete audit trail of the violation of the policy rules that have been used.
RBAC can be a giant PitA, especially when you want to really get least-privilege right. Audit2RBAC is a small utility that helps you identify the right RBAC Policy for your resources based on the Kubernetes audit log. It takes the Audit log as input and generates a reasonably good RBAC policy for the resources you're working with.
If you're a Pentester or Red-Teamer, this is a tool you don't want to miss. Kube-hunter is an offensive tool from Aquasec that helps you offensively explore Kubernetes clusters. It has a plethora of checks that you can use to identify and exploit vulnerabilities in your Kubernetes clusters, remotely or locally.
The tool, like its orientation is meant to identify AND exploit, so don't use this lightly, and more importantly, without authorization to do so.
Additionally, what I like about it (a little extra) is that its one of the few Kubernetes tools that is written in python and since my team largely consists of *py devs, its easier for us to extend it if required in a client-engagement.
Do you have any other tools for Kubernetes Security that you love? Let me know Ill be happy to look at it and experiment with it.
If you're looking for awesome Kubernetes Security Training, drop us a line here or you can attend our upcoming class at BlackHat USA 2020, "Kubernetes Security Masterclass"
In addition, if you want a Kubernetes-focused Security Assessment, Audit or Pentest, write to us here and we can definitely help you out with your needs.