Helpful Tools for Container & K8s Security
Static Code Analysis
Kube-Score
Kube-Score is a tool that performs static code analysis of your Kubernetes object definitions (i.e., your YAML files). You can install it from Kube-Score.
Now you can just verify e.g., a deployment definition like this:
Checkov
Chekov is an open source static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile and more.
KICS
KICS is an open source solution for static code analysis of Infrastructure as Code. KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in Infrastructure as Code solutions like Terraform, Kubernetes, Docker, Ansible or Helm.
Image Scanning
Docker Scan
Starting with Docker Desktop version 2.3.6.0 or Docker Engine on Linux version 20.10.6 Docker has image scan capabilities built-in using functionality provided by Snyk.
Trivy
As part of the demos we will also scan our container images for OS and Application vulnerabilities using an open source tool named Trivy.
For installation instructions just browse to the Trivy website.
Trivy is very easy to use locally and inside your CI/CD system.
Harbour Registry
Harbour Registry is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. For image scanning you may integrate with one of the supported scanners like Trivy, Clair or Anchore.
Snyk
or a commercial tool like Snyk.
Kubeaudit for Kubernetes Security Audits
As part of the demos we will also check our Kubernetes for security issues like container running with root rights using an open source tool named Kubeaudit.
For installation instructions just browse to the Kubeaudit website.
Popeye – A Kubernetes Cluster Sanitizer
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. Just head to the Popeye website to install it.
With that you just Popeye a cluster using your current kubeconfig environment by typing:
Who-Can for Auditing RBAC
Kubernetes' Role Based Access (RBAC) is not easy. A recommended helpful tool for auditing RBAC configuration is AqueSecurity Who-Can. Just follow the instructions on the Who-Can website to install this.
After installing, you may for example just check who can create pods:
Look up role bindings with RBAC lookup
RBAC Lookup is a CLI that allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
With RBAC lookup you can just query for example the role bindings of the default service account:
Last updated