Starting with Kubernetes Security

We will discuss creating a eco-system for k8’s security with open source tools.Before starting i want to mention few resources which can be helpful in kubernetes Security Journey.

GitHub — magnologan/awesome-k8s-security: A curated list for Awesome Kubernetes Security resources

GitHub — freach/kubernetes-security-best-practice: Kubernetes Security — Best Practice Guide

GitHub — madhuakula/kubernetes-goat: Kubernetes Goat 🐐 is a “Vulnerable by Design” Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security 🔐

Tools to be used :

Trivy :Scanning container images.

https://github.com/aquasecurity/trivy

Polaris: Configuration audit.

https://github.com/FairwindsOps/polaris

Kubebench: Infrastructures scanning and compliance checks with CIS Benchmarks.

https://github.com/aquasecurity/kube-bench

Kubehunter: Penetration test results for a Kubernetes cluster.

GitHub - aquasecurity/kube-hunter: Hunt for security weaknesses in Kubernetes clusters

Starboard: Starboard attempts to integrate heterogeneous security tools by incorporating their outputs into Kubernetes CRDs (Custom Resource Definitions) and from there, making security reports accessible through the Kubernetes API.So, Startboard will be integrating all four tools above.

https://github.com/aquasecurity/starboard

Octant: Octant is for centralised reporting of all the findings from Trivy, polaris, kubebench and kubehunter.

All the above stated things can be understood by below diagram:

From Starboard Github page

Starboard can be used as a Kubernetes operator to automatically update security reports in response to workload and other changes on a Kubernetes cluster — for example, initiating a vulnerability scan when a new Pod is started or as a command, so you can trigger scans and view the risks in a kubectl-compatible way or as part of your CI/CD pipeline.

I used it for manual scanning through the command-line for POC purpose. But this is not suitable with a large number of Kubernetes resources, For production environment starboard operator is better options to constantly monitor built-in Kubernetes resources, such as Deployments and Nodes, and running appropriate scanners.

Steps to do POC on system locally:

Requirement:Minikube, Starboard, Octant.

Steps to follow:

1. Install minikube
2. Run command : minikube start [This will start default cluster naming minikube]
3. I created two clusters for poc purpose:

4.Start with creating pods on each cluster, you can start with nginx deployment(There are tons of tutorials available on web)

5. Install starboard (Follow the guide from official docs: https://aquasecurity.github.io/starboard/v0.14.1/cli/getting-started/)

6. Install octant (follow the official github page , follow command based on your OS : https://github.com/vmware-tanzu/octant )

7. Install octant starboard plugin.

8. Run the vulnerability scanner to generate vulnerability reports:

command : starboard scan vulnerabilityreports deployment/nginx

This is how scan results look in octant:

9. Run the scanner to audit the configuration using Polaris, which is the default configuration checker:

Command: starboard scan configauditreports deployment/nginx

This is how scan results from polaris looks in octant:

10. Run the scanner to use kubebench

Command: starboard scan ciskubebenchreports

This is how results looks in octant:

11. Run the scanner to use kubehunter with below command:

Command: starboard scan kubehunterreports

This is how results look in octant:

Thanks !!