Wednesday, July 24, 2019

Free / Open-Source tools for Kubernetes Security Audit

kube-hunter:

                   is an open-source tool that hunts for security issues in your Kubernetes clusters. It’s designed to increase awareness and visibility of the security controls in Kubernetes environments.



kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.

Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.





Ref link : https://kube-hunter.aquasec.com/

kube-bench:

                  is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

"An objective, consensus-driven security guideline for the Kubernetes Server Software."


Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.


Sample Output:
 





CIS Kubernetes Benchmark support

kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.

CIS Kubernetes Benchmark kube-bench config Kubernetes versions
1.0.0 1.6 1.6
1.1.0 1.7 1.7
1.2.0 1.8 1.8-1.10
1.3.0 1.11 1.11-1.12
1.4.0 1.13 1.13-

By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

 Ref Link :

https://github.com/aquasecurity/kube-bench
https://www.cisecurity.org/benchmark/kubernetes/