📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Static Code Analysis
  • Kube-Score
  • Checkov
  • KICS
  • Image Scanning
  • Docker Scan
  • Trivy
  • Harbour Registry
  • Snyk
  • Kubeaudit for Kubernetes Security Audits
  • Popeye – A Kubernetes Cluster Sanitizer
  • Who-Can for Auditing RBAC
  • Look up role bindings with RBAC lookup

Was this helpful?

  1. Further Resources

Helpful Tools for Container & K8s Security

PreviousKubernetes Authorization (RBAC)NextList of Further Resources

Last updated 3 years ago

Was this helpful?

Static Code Analysis

Kube-Score

is a tool that performs static code analysis of your Kubernetes object definitions (i.e., your YAML files). You can install it from .

Now you can just verify e.g., a deployment definition like this:

kube-score score ./deploy.yaml

Checkov

is an open source static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile and more.

KICS

is an open source solution for static code analysis of Infrastructure as Code. KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in Infrastructure as Code solutions like Terraform, Kubernetes, Docker, Ansible or Helm.

Image Scanning

Docker Scan

Starting with version 2.3.6.0 or on Linux version 20.10.6 Docker has built-in using functionality provided by Snyk.

Trivy

Trivy is very easy to use locally and inside your CI/CD system.

Harbour Registry

Snyk

Kubeaudit for Kubernetes Security Audits

Popeye – A Kubernetes Cluster Sanitizer

With that you just Popeye a cluster using your current kubeconfig environment by typing:

popeye

Who-Can for Auditing RBAC

After installing, you may for example just check who can create pods:

kubectl who-can create pods

Look up role bindings with RBAC lookup

With RBAC lookup you can just query for example the role bindings of the default service account:

kubectl rbac-lookup default -k serviceaccount -o wide

As part of the demos we will also scan our container images for OS and Application vulnerabilities using an open source tool named .

For installation instructions just browse to the website.

is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. For image scanning you may integrate with one of the like , or .

or a commercial tool like .

As part of the demos we will also check our Kubernetes for security issues like container running with root rights using an open source tool named .

For installation instructions just browse to the website.

Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. Just head to the to install it.

is not easy. A recommended helpful tool for auditing RBAC configuration is . Just follow the instructions on the to install this.

is a CLI that allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.

Kube-Score
Kube-Score
Chekov
KICS
Docker Desktop
Docker Engine
image scan capabilities
Trivy
Trivy
Harbour Registry
supported scanners
Trivy
Clair
Anchore
Snyk
Kubeaudit
Kubeaudit
Popeye website
Kubernetes' Role Based Access (RBAC)
AqueSecurity Who-Can
Who-Can website
RBAC Lookup