Starting with Kubernetes Security
We will discuss creating a eco-system for k8’s security with open source tools.Before starting i want to mention few resources which can be helpful in kubernetes Security Journey.
GitHub — magnologan/awesome-k8s-security: A curated list for Awesome Kubernetes Security resources
GitHub — freach/kubernetes-security-best-practice: Kubernetes Security — Best Practice Guide
Tools to be used :
Trivy :Scanning container images.
https://github.com/aquasecurity/trivy
Polaris: Configuration audit.
https://github.com/FairwindsOps/polaris
Kubebench: Infrastructures scanning and compliance checks with CIS Benchmarks.
https://github.com/aquasecurity/kube-bench
Kubehunter: Penetration test results for a Kubernetes cluster.
Starboard: Starboard attempts to integrate heterogeneous security tools by incorporating their outputs into Kubernetes CRDs (Custom Resource Definitions) and from there, making security reports accessible through the Kubernetes API.So, Startboard will be integrating all four tools above.
https://github.com/aquasecurity/starboard
Octant: Octant is for centralised reporting of all the findings from Trivy, polaris, kubebench and kubehunter.
All the above stated things can be understood by below diagram:
Starboard can be used as a Kubernetes operator to automatically update security reports in response to workload and other changes on a Kubernetes cluster — for example, initiating a vulnerability scan when a new Pod is started or as a command, so you can trigger scans and view the risks in a kubectl-compatible way or as part of your CI/CD pipeline.
I used it for manual scanning through the command-line for POC purpose. But this is not suitable with a large number of Kubernetes resources, For production environment starboard operator is better options to constantly monitor built-in Kubernetes resources, such as Deployments and Nodes, and running appropriate scanners.
Steps to do POC on system locally:
Requirement:Minikube, Starboard, Octant.
Steps to follow:
- Install minikube
- Run command : minikube start [This will start default cluster naming minikube]
- I created two clusters for poc purpose:
4.Start with creating pods on each cluster, you can start with nginx deployment(There are tons of tutorials available on web)
5. Install starboard (Follow the guide from official docs: https://aquasecurity.github.io/starboard/v0.14.1/cli/getting-started/)
6. Install octant (follow the official github page , follow command based on your OS : https://github.com/vmware-tanzu/octant )
7. Install octant starboard plugin.
8. Run the vulnerability scanner to generate vulnerability reports:
command : starboard scan vulnerabilityreports deployment/nginx
This is how scan results look in octant:
9. Run the scanner to audit the configuration using Polaris, which is the default configuration checker:
Command: starboard scan configauditreports deployment/nginx
This is how scan results from polaris looks in octant:
10. Run the scanner to use kubebench
Command: starboard scan ciskubebenchreports
This is how results looks in octant:
11. Run the scanner to use kubehunter with below command:
Command: starboard scan kubehunterreports
This is how results look in octant:
Thanks !!