Since the launch of Kubernetes in July 2015, countless companies have shifted to the open-source container-orchestration system to improve the efficiency of deploying, scaling, and managing applications.
Kubernetes is critical for all development and devops teams as per a recent survey. Many organizations delayed their application release due to the kubernetes security issues and hence it is very important for us to talk about some top open source tools to perform kubernetes security audits.
The following guidelines are important when creating a robust and reliable Kubernetes production setup for running critical applications.
- Authentication & Authorization
- system:masters group should not be used for user or component authentication after bootstrapping.
- The kube-controller-manager should be running with --use-service-account-credentials enabled.
- The root certificate should be protected (either an offline CA, or a managed online CA with effective access controls).
- Intermediate and leaf certificates should have an expiry date no more than 3 years in the future.
- There should be a process for periodic access review, and reviews occur no more than 24 months apart.
- The Role Based Access Control Good Practices should be followed for guidance related to authentication and authorization.
- Keep security vulnerabilities and attack surfaces to a minimum for the Cluster and Applications.
Lockdown the pods and nodes, with traceable break-glass policies. Ensure that the applications you are running are secure and that the data you are storing is secured against attack.Kubernetes is a rapidly growing open source project, so to be on top of the same, updates and patches have to be applied in a timely manner.
- Segregate the Kubernetes Cluster and Configure usage limits.
Segregate Production Kubernetes Cluster to make sure that rapid changes happening in Infrastructure and application level do not impact production workloads. This segregation could be physical or logical, and based on the setup proper guardrails need to be implemented. As Kubernetes is mostly used as a shared infrastructure, proper usage limits need to be applied for running applications based on type and criticality of workloads, to minimize the impact of an outlier. Namespace level isolation and resource limits are common practice for this type of enforcement.
Open Source tools for Kubernetes Security:
- Kube-Bench: Whenever we talk about orchestrating the containers, security is always the main concern, when a person is adopting for any kubernetes ecosystem very seriously, the security has been taken into consideration. Kube Bench is an open-source Go application that runs the CIS Kubernetes Benchmark and tests a K8s cluster to ensure that it meets the CIS guidelines for security. It is like a key bench tool for checking whether or not your kubernetes cluster is configured according to the recommendations from the Centre for Internet Security, the CIS publishes a benchmark for Kubernetes, there’s some variants of that benchmark for managed services.
Paper with code: https://github.com/aquasecurity/kube-bench
- Kube-Linter: Kube-Linter is a tool that can analyze your kubernetes configurations in the form of yaml files as well as helm charts & check that they are following the best practices for security and production readiness. KubeLinter is a vulnerability checker in the tradition of the venerable Unix lint command. Some of the problems KubeLinter finds are explicit security vulnerabilities, such as specifying a Secret in an environment variable or allowing unsafe privilege escalation.
Reference Doc: https://docs.kubelinter.io/#/
- Kube-hunter: Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup. Checkov can run hundreds of scans against a Kubernetes cluster. Many of its checks, as one could expect, are similar to those in kube-bench.
Paper with code: https://github.com/aquasecurity/kube-hunter
- Terrascan: Terrascan is an open source tool that helps you detect compliance and security violations across infrastructure as code to mitigate risk before provisioning cloud-native infrastructure. Terrascan is used while building your kubernetes application to eliminate common security problems well before your app is ever deployed in the cloud. Before we can run terrascan, we need to decide how we want to run it, it’s available as a binary package for the most common platforms for kubernetes support, you ll want to at least release which you don’t see here because before the release you can download a binary to run it locally and we maintain an image on docker hub if you prefer to avoid local installations you could also built it from source if desired. Terrascan integrates with Kubernetes through admission webhooks, which allow an administrator to run some external script or tool when Kubernetes receives certain types of requests.Terrascan offers both a CLI and an API, and allows a large degree of customization. For instance, Terrascan assigns severities (low, medium, or high) to its Kubernetes policies so you can tell it to ignore low-risk activities.
Paper with code: https://github.com/tenable/terrascan
- Open Policy Agent: (OPA) is not a vulnerability checker; instead, it is a set of policies with a runtime daemon to implement them. If you spent a long time learning how to configure iptables, get ready to do it all over again. Open Policy Agent is very similar to a firewall, enforcing all kinds of limitations on activities within Kubernetes. Open Policy Agent is a domain agnostic general purpose policy engine and what that means or what it gives you is the ability to decouple and offload policy decision-making from policy enforcement so you know suppose you were building you know micro services in your organization you might have to make you know decisions when that micro service receives API requests and those decisions or policy decisions like whether or not to allow the request is based on all kinds of rules from within your organization and so what OPA gives you is the ability to offload that decision-making process to a dedicated engine so that your administrators and your Ops teams and yourself have more control over the service at runtime so the goal of oppa is basically to help unify policy enforcement across a wide range of technology.
Paper with code: https://github.com/open-policy-agent/opa
Want a handbook on end to end kubernetes deployment? Read this article to know more: www.e2enetworks.com/blog/kubernetes-deployment-handbook-configurations-checklist-error-handling-and-best-practices.
Also, are you looking for Kubernetes as a service? EKS, E2E Kubernetes Service: With the E2E Cloud platform, You can quickly launch the Kubernetes master, worker nodes and get started working with your kubernetes cluster in a minute.