With Kubernetes, orchestrating containers has become significantly simpler than ever. Thanks to its efficient automated container provisioning, management, and configuration. Many companies are leveraging Kubernetes one way or the other for their containerized applications.
For any containerized application, apart from simple management, security is also of paramount importance. Kubernetes, by default, do provide many basic security features such as assigning an IP address and providing IP-based security. Still, it’s in the hands of cluster admins to implement robust security protocols when it comes to advanced security monitoring and compliance enforcement.
Fortunately, there are a plethora of many third-party open-source Kubernetes vulnerability scanning tools available that can be used to secure the Kubernetes stack. These tools identify the misconfigurations in the Kubernetes cluster and provide solutions to correct these vulnerabilities in the early stage of the deployment.
Vulnerability tools also leverage the Center of Internet Security’s (CIS) comprehensive Kubernetes guideline, which defines practices for getting more visibility into the Kubernetes environment.
So, for this blog, let’s have a look at the most prominent Kubernetes vulnerability scanners in the market and how they can be used to tighten clusters and pod security for containerized applications.
Open-sourced by Aqua Security, Kube-bench is a security vulnerability tool that checks Kubernetes deployments for compliance with CIS’s (Center for Internet Security) guidelines. Center for Internet Security (CIS) is a regulatory body that provides benchmarking tests for safe code practices.
Kube-bench runs a series of tests based on the criteria specified by CIS and analyzes Kubernetes cluster nodes for improper configuration, insecure communication, and authorization. These tests support multiple Kubernetes versions and are defined in easy to modify and extendable YAML job files that output test results using JSON-formatted output.
Errors pointed out during test results by Kubebench are provided with suggestions to fix the issues. Kubebench also integrates well with automated tools like Kops to ensure deployment follows least privilege principles and data is properly encrypted both in transit and at rest.
Kube-bench is written using Go and is deployed as a container making it compatible with almost all managed Kubernetes services such as Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service, or OpenShift.
Overall, kube-bench is very useful for detecting non-compliance issues in the Kubernetes environment. With the recent 0.50 release, kube-bench has allowed the running of jobs on Azure Kubernetes Service and has added support for customizing kubeconfig locations for kube-controller and scheduler.
Kube-hunter is another open-source vulnerability scanning tool developed by Aqua Security for Kubernetes clusters. Unlike kube-bench, kube-hunter scans Kubernetes cluster nodes for more vulnerabilities outside of the CIS guidelines.
Kube-hunter implements active and passive testing to identify dangerous attack vectors and allows cluster admins to address those potential concerns through its automated penetration and discovery features. By actively identifying issues for constantly changing application states, kube-hunter enhances kube-bench CIS validation capabilities with its active hunting mode.
Kube-hunter offers multiple ways to scan vulnerabilities such as remote, interlace, and network and easily run in a local machine or cluster.
It has to be downloaded as a binary zip file and installed using pip directly with network access to the cluster on a local machine. Whereas installing kube-hunter on Kubernetes environment can be quickly done by directly running as a pod inside the Kubernetes cluster.
All the identified vulnerabilities by kube-hunter both in local machine or Kubernetes cluster can be easily viewed in the kube-hunter knowledge base through a vulnerability ID.
Overall, kube-hunter provides powerful automation and works well across various cloud-native platforms for centralized code control and tighter policy enforcement security.
Developed by Spotify, kubeaudit is an open-source command-line-based cluster auditing tool for Kubernetes. Kubeaudit validates clusters by checking them for security misconfigurations and practices against predefined controls. Written in Go Language, kubeaudit can be easily installed on local machines through a single command and provides several modes for auditing such as– manifest, local, and cluster.
Kubeaudit implements auditing for containers, pods, namespaces through several built-in auditors/tests which assess and suggest various practices for different container contexts such as privilege escalation, running applications as root, providing read access to a root file system or insecure default configurations.
All of these contexts are covered through an extensive list of tests that are well documented, explained, and filterable at different security levels. Also, the audit results are marked with varying levels of severity such as error, warning, and info to prioritize issues that require immediate mitigation.
Overall, kubeaudit offers ample functionality to resolve resource misconfiguration and test the Kubernetes cluster’s security concerns.
Developed by Octarine kube-scan is an open-source Kubernetes risk assessment tool that scans cluster workloads for vulnerabilities and assigns risk scores for different workloads. The risk score is rated from 0 to 10, where 0 is low risk and 10 being high risk.
All the scanning tasks in kube-scan to identify risk details are performed by running as a container in the cluster and utilize Kubernetes Common Configuration Scoring System (KCCSS) to determine risk type. KCCSS open-source framework prioritizes confidentiality, availability, and integrity for container configuration and provides scores based on various Kubernetes policies, privilege levels, and scope of exploitation.
Kube-Scan can be easily run from the command line and provides a friendly web UI to identify and display risk details. Teams can also extend the KCCSS framework specification to add specific rules, such as rescanning the cluster every 12hrs.
Kubesec is an open-source risk analysis tool for Kubernetes that scans and validates manifest configuration against predefined security criteria. Kubesec finds misconfigurations in deployments/pods and assigns a risk score to align them with security best practices.
Kubsec can be easily installed using kubectl, container image, or an admission controller in Kubernetes and uses an open-source control plane that runs it as-a-Service over HTTPS.
Kubesec can scan multiple YAML manifest configurations (pods, deployments, and resources) in a single input and assess them for risks such as running containers as root, privilege escalation, and others. Every found vulnerability is provided a severity score to mitigate threats quickly.
Kube-score is a static code analysis tool used to check Kubernetes object definitions against a certain set of security controls defined. Kube-score implements simple scanning methods that can be easily enabled or disabled based on the testing requirements.
Kube-score can easily provide a quick assessment of YAML or JSON object definition files by checking them online at kube-score.com. The output Kube-score list as recommendations to improve cluster reliability and security has a straightforward human-readable syntax and can be easily viewed on a web-based UI.
KubiScan is a command-line utility used to identify permissions and role vulnerabilities in Kubernetes environments. Kubiscan gathers information about cluster roles, users, pods and aims to provide better visibility on handling role-based access control (RBAC) in Kubernetes.
With Kubiscan, users can easily search for contexts such as accounts with privileged pods, pods accessing secret data, and invoke commands to identify associated rules; this can be especially helpful for scenarios where there are lots of permissions to track.
Kubernetes RBAC is structured in a way that it can be easily manipulated if there are security misconfigurations. So, a tool like KubiScan can be easily used by administrators to reduce these misconfigurations and automate traditional manual processes to identify and diagnose cluster problems.
Krane is a simple static analysis tool, implemented by Shopify, used to identify security risks and audit Kubernetes RBAC. Krane can be easily run from a command-line interface or a Docker container to spot weaknesses in the RBAC rules, roles, role bindings and provide remedial measures.
The analysis is done on a set of built-in RBAC risk rules, which can be extended with custom rules. The output results are produced in an easy-to-understand machine-readable format and can be easily viewed through a Dashboard UI which presents a detailed RBAC overview for inspection through the tree and graph views.
Krane also integrates well with Slack to detect medium and high severity risks via alerting and indexes Kubernetes RBAC in Cypher Query Language database to make further RBAC analysis easy through queries.
Twistlock is a fully-featured container and Kubernetes security solution which provides more than 200 built-in checks for the CIS (Center for Internet Security) Benchmarks. With so many vulnerability checks easily available, admins can detect compliance and misconfiguration issues in their Kubernetes applications and enforce custom security policies for particular use cases.
Developed by Inovex, Illuminatio is a network policy validator for Kubernetes. Illumination is written in Python and uses the official Kubernetes python package to automatically scans the Kubernetes cluster for proper network policies enforcement and build policy test cases to determine if they are properly in effect.
With support for CRI compliant runtimes like containerd, illuminatio also supports Docker runtime for Kubernetes nodes/pods. The pod’s namespace information is fetched using the docker python library or crictl depending upon the runtime to perform network requests that will affect the policy. All the test results are properly written into a config map and are printed using the illuminatio CLI interface.
Well, all the tools mentioned above help teams in correcting misconfigurations one way or the other. It’s on the organization’s requirements what they specifically require. Kubebench is a great and most widely available option if an organization requires CIS benchmark compliance.
If an organization requires a visual UI for easy use, consider Kube-Scan with its Vulnerability Scoring System (CVSS) system. Kube audit can be considered when there is a requirement to test and identify certain security areas. Its auditor-based approach provides an exhaustive list of prebuilt security contexts.
Coming to suggestions and misconfiguration mitigation, kube-hunter provides nicely structured advice for policy misconfigurations. Kube-score can also be used as an alternative to kube-hunter if the more human-readable syntax is preferred.
For RBAC and network policies misconfiguration, KubiScan and Illuminatio stand out. They provide fast navigation into role bindings and perform easy cluster analysis. Krane can also be used if Slack integration for RBAC alerts is needed.
As we have seen, Kubernetes is very flexible when it comes to advanced security implementations. It’s really up to the organizations to configure and define the vulnerability scanning tools to balance simplicity and security.
All the tools aim to keep Kubernetes clusters secure as possible from hackers. But it is important to keep in mind that organizations can find a viable option for a specific business by only trying and testing the tools.