![]() ![]() Simply paste a definition YAML or JSON file at for a quick analysis. Kube-score is also the only utility on this list that offers a free web-based UI to test your object definitions. A big benefit of kube-score is its emphasis on human-readable error messages with helpful instructions for remediation, which could help you improve reliability and security. Since kube-score simply tests object definitions, this scanning method is non-intrusive and harmless. Kube-score performs a static code analysis of Kubernetes definitions, checking them against many security controls ( defined here), each of which can be enabled or disabled. This endpoint is exposed as part of the kubelet’s debug handlers." 3. kube-score "The kubelet is leaking information about running pods via the /runningpods endpoint. For example, vulnerability ID KHV038 is for exposed running pods: The kube-hunter knowledge base is an easy way to look up these issues there are around 40. When run, kube-hunter will return a list of vulnerabilities, each with its own vulnerability ID. You can run kube-hunter within a local machine or cluster-it can be set to remote, interface, and network scanning. You can install kube-hunter with pip: pip install kube-hunter When set to "active hunting" mode, kube-hunter will further exploit the vulnerabilities that arise with state-changing operations. ![]() As its name implies, kube-hunter uses more predatory-and potentially dangerous-tactics to really put your Kubernetes instances to the test. Kube-hunter, another Aqua Security project, goes deeper to scan Kubernetes clusters and pods for additional weaknesses outside of the CIS database. ![]() kube-bench is open-sourced by Aqua Security, which also developed an image scanner for containers called trivy. Ready-made job.yaml files make it easy to run kube-bench inside a Kubernetes cluster or on a managed Kubernetes service, such as Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or OpenShift.įor example, this command runs kube-bench in AKS: docker run -rm -v `pwd`:/host aquasec/kube-bench:latest installĪfter tests are run, kube-bench will indicate the status of the tests, with outputs including: Kube-bench, written as a Go application, is deployable as a container. It can be used to detect insecure, open default settings and improper user authentication and authorization, and to highlight insecure data in transit and at rest. Kube-bench is a handy utility that runs a series of benchmark tests based on the guidelines for Kubernetes security from the Center for Internet Security (CIS). To help tighten your Kubernetes clusters and pods, these top open-source vulnerability scanners and tools can help determine if your final Kubernetes configuration is safe or presents a risk. You may want to customize your scanner with industry-specific benchmarks or vendor-specific processes-open-source tools are easy to fork and adjust with your own internal security guidelines. Compared with managed security tools, free-to-use open-source scanning tools are a low-commitment way to quickly incorporate security testing while avoiding vendor lock-in. Open source is very important for security, since sharing known vulnerabilities can help reduce risk across the IT industry. These packages can be tested from the command line or could even be leveraged for continuous security vulnerability reporting. Thankfully, many free packages are available to scan Kubernetes clusters and pods for Common Vulnerabilities and Exposures (CVEs). To identify these known vulnerabilities, OWASP also recommends the use of an image scanner. This includes advice such as controlling network access to sensitive ports, the Kubernetes API, and Kubelet and etcd implementing role-based access control and using transport-level security. OWASP, the IT security benchmarking group, provides a comprehensive cheat sheet of best practices for securing Kubernetes clusters. Yet, too often, Kubernetes suffers from security breaches due to security misconfigurations and over-permissive states. With the rise of microservices and containers, orchestrating them with Kubernetes has become helpful for maximizing efficiency and cost savings. ![]()
0 Comments
Leave a Reply. |