📚Helpful Tools for Container & K8s Security

Signing

Notary

Docker Notary is a framework to sign and verify Docker container images.

Sigstore & Cosign

Sigstore provides a way for software developers to sign off on what they build, without needing to jump through hoops or know tricky security protocols. And it’s a way for anyone using those releases to verify the signatures against a tamper-proof log.

It includes Cosign for signing and verification of artifacts and containers, with storage in an Open Container Initiative (OCI) registry, making signatures and in-toto/SLSA attestations invisible infrastructure.

In-Toto

In-Toto is a framework to secure the integrity of software supply chains. It ensures the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order.

Static Code Analysis

General IaC Tools

Checkov

Chekov is an open source static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile and more.

KICS

KICS is an open source solution for static code analysis of Infrastructure as Code. KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in Infrastructure as Code solutions like Terraform, Kubernetes, Docker, Ansible or Helm.

Container & Docker

Hadolint

Hadolint is a Dockerfile linter that helps you build best practice Docker images. The linter parses the Dockerfile into an AST and performs rules on top of the AST.

Dockle

Dockle is a Container Image Linter for Security to help build the Best-Practice Docker Image.

Kubernetes

Kubesec

Kubesec is a Security risk analysis tool for Kubernetes resources.

You can install it as

Docker container image at docker.io/kubesec/kubesec:v2
Linux/MacOS/Win binary (get the latest release)
Kubernetes Admission Controller
Kubectl plugin

You can check your Kubernetes resources using:

kubesec scan k8s-deployment.yaml

Kube-Score

Kube-Score is a tool that performs static code analysis of your Kubernetes object definitions (i.e., your YAML files). You can install it from Kube-Score.

It can be installed using brew: brew install kube-score.

You can just verify e.g., a deployment definition like this:

kube-score score ./deploy.yaml

Popeye – A Kubernetes Cluster Sanitizer

Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. Just head to the Popeye website to install it.

With that you just Popeye a cluster using your current kubeconfig environment by typing:

popeye

Kubernetes RBAC Tools

Who-Can for Auditing RBAC

Kubernetes' Role Based Access (RBAC) is not easy. A recommended helpful tool for auditing RBAC configuration is AqueSecurity Who-Can. Just follow the instructions on the Who-Can website to install this.

After installing, you may for example just check who can create pods:

kubectl who-can create pods

Look up role bindings with RBAC lookup

RBAC Lookup is a CLI that allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.

With RBAC lookup you can just query for example the role bindings of the default service account:

kubectl rbac-lookup default -k serviceaccount -o wide

Rakkes

Rakkes is a tool to find out what access rights you have on a provided kubernetes cluster. It lists access rights for the current user and all server resources.

Install it via krew as kubectl plugin:

kubectl krew install access-matrix

Or install binaries directly on Linux:

curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-linux.tar.gz \
  && tar xf rakkess-amd64-linux.tar.gz rakkess-amd64-linux \
  && chmod +x rakkess-amd64-linux \
  && mv -i rakkess-amd64-linux $GOPATH/bin/rakkess

More Tools

You can find plenty more RBAC info and tooling on https://rbac.dev.

Image Scanning

Trivy

As part of the demos we will also scan our container images for OS and Application vulnerabilities using an open source tool named Trivy.

Trivy is able to find vulnerabilities (CVE), secrets & misconfigurations (IaC) across code repositories, binary artifacts, container images, Kubernetes clusters, and more.

For installation instructions just browse to the Trivy website.

Trivy is very easy to use locally and inside your CI/CD system.

Docker Scout

With Docker Scout Docker Desktop and Docker Hub has image scan capabilities built-in. In contrast to Trivy this is a commercial offering and requires a plan with a montly or yearly payment.

PreviousKubernetes Authorization (RBAC)NextList of Further Resources

Last updated 10 months ago

hashtagSigning

hashtagNotary

hashtagSigstore & Cosign

hashtagIn-Toto

hashtagStatic Code Analysis

hashtagGeneral IaC Tools

hashtagCheckov

hashtagKICS

hashtagContainer & Docker

hashtagHadolint

hashtagDockle

hashtagKubernetes

hashtagKubesec

hashtagKube-Score

hashtagPopeye – A Kubernetes Cluster Sanitizer

hashtagKubernetes RBAC Tools

hashtagWho-Can for Auditing RBAC

hashtagLook up role bindings with RBAC lookup

hashtagRakkes

hashtagMore Tools

hashtagImage Scanning

hashtagTrivy

hashtagDocker Scout