Skip to content

Audit

CIS

Tool Description
docker-bench
  • Checks for common best-practices around deploying Docker containers in production
  • Usage:
      • docker run -it --net host --pid host --userns host --cap-add audit_control \
      -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
      -v /var/lib:/var/lib \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -v /usr/lib/systemd:/usr/lib/systemd \
      -v /etc:/etc \
      --label docker_bench_security \
      docker/docker-bench-security
kube-bench
  • Checks whether Kubernetes is deployed according to security best practices
  • kube-bench-exporter can export reports to remote targets like S3
kubescape Test if your Kubernetes cluster is deployed securely as defined in NSA's Kubernetes Hardening Guidance
gke-policy-automation
  • Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices
  • Auditing GKE Clusters across the entire organization: How to establish GKE cluster governance for Google Cloud organization using the GKE Policy Automation, an open-source tool created by the Google Professional Services team

General

Tool Description
kubesec
  • Quantify risk for Kubernetes resources
  • Usage:
    • krew install kubesec-scan
    • kubectl kubesec-scan pod hello-node-7f5b6bd6b8-26cm9
kube-hunter
  • Hunt for security weaknesses in Kubernetes clusters (even remote)
  • Usage:
    • From docker: docker run -it --rm --network host aquasec/kube-hunter
    • From kubectl: kubectl run --rm -it kube-hunter --image=aquasec/kube-hunter --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostNetwork\": true } }"
kubeaudit
  • Audit clusters against common security controls
  • Run from kubectl (as plugin): kubectl audit all
mkit
  • Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes clusters
  • It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found
starboard
  • Integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way
  • kubectl-compatible command-line tool and an Octant plug-in
gke-auditor
  • A tool to detect a set of common Google Kubernetes Engine misconfigurations
stackrox
  • Performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment
trivy
  • Trivy now can scan kubernetes clusters
  • It reports vulnerabilities and misconfigurations when scanning a full cluster, namespace or a resource
cloudfox
  • Helps gaining situational awareness in unfamiliar cloud environments and finding exploitable attack paths
  • Introducing: CloudFox
hardeneks
  • Runs checks to see if an EKS cluster follows EKS Best Practices
Manual
  • List Control Plane API config (if not managed): kubectl -n kube-system exec kube-apiserver-control-plane -it -- kube-apiserver -h
  • List images in use across all nodes: kubectl get nodes -ojsonpath='{range .items[*].status.images[*]}{.names[0]}{"\n"}{end}' | sort | uniq

Networking

Tool Description
mizu
  • API traffic viewer for Kubernetes enabling you to view all API communication between microservices
  • Think TCPDump and Wireshark re-invented for Kubernetes
nsenter
  • Tool for debugging container networking
  • If you know the pause PID, you can effectively use any tools installed on the host (not the container) against the pod’s network namespace
  • Usage: $ nsenter -t <pause-pid> -n tcpdump -i eth0
netshoot
  • A Docker + Kubernetes network trouble-shooting swiss-army container
netassert
  • Network security testing for DevSecOps workflows
PacketStreamer

RBAC

Tool Description
kubectl
  • List all resources and sub resources that can be constrained with RBAC
  • kubectl get --raw /openapi/v2 | jq '.paths | keys[]'
rbac-tool
  • A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity (viz/analysis/lookup/who-can/policy-rules/auditgen/gen)
kubectl-can-i
  • To find out if you can perform a verb on a resource
  • Also use Kubernetes' Impersonation API to see if another account is able to access a resource
  • Usage:
    • Find out if you can perform a verb on a resource: $ kubectl auth can-i get pods
    • Confirm that you've been given cluster-admin permissions: $ kubectl auth can-i "*" "*"
    • List all the actions you can perform in a namespace: $ kubectl auth can-i --list --namespace=secure
    • Impersonation: take the Service Account named "unprivileged-service-account" (scoped to the "secure" namespace) and see if it has access to get pods: $ kubectl auth can-i get pod --as system:serviceaccount:secure:unprivileged-service-account
kubectl-who-can
  • Show who has permissions to <verb> <resources> in kubernetes
  • Usage:
    • See who has access to a secret ("cluster-admin-creds" in the "secure" namespace):
      $ kubectl who-can get secret cluster-admin-creds -n secure
Rakkess
  • Show an access matrix for k8s server resources
  • Ideal for looking at a ServiceAccount object and trying to determine what it has access to
  • Usage:
    • Dump what your account has access to: $ kubectl access-matrix
    • Look at what a particular Service Account can access: $ kubectl access_matrix --as system:serviceaccount:secure:unprivileged-service-account -n secure
rback
  • RBAC in Kubernetes visualizer
  • Queries all RBAC related information and generates a graph representation of service accounts, (cluster) roles, and the respective access rules
  • Usage:
    • $ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback > result.dot
    • $ dot -Tpng results.dot > /tmp/rback.png && open /tmp/rback.png
rbac-view
  • Visualize Kubernetes RBAC rules
  • Usage:
    • $ kubectl rbac-view
      # serving RBAC View and http://localhost:8800
kubiscan
  • Scan for risky permissions and users in RBAC
  • Can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker
  • Usage:
    • Run from MASTER node: docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD]
    • Search for pods with privileged accounts: kubiscan -rp
    • Show all risky subjects (users, service accounts, groups): kubiscan -rs
    • Show all the rules a service account has: kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount"
    • List service account RoleBindings: kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"
rbac-lookup
  • Find Kubernetes roles and cluster roles bound to any user, service account, or group name
  • Usage: rbac-lookup rob --output wide
kubectl-rolesum
  • Summarize RBAC roles for the specified subject (ServiceAccount, User and Group)
  • Usage: kubectl rolesum -k Group developer
kubernetes-rbac-audit
  • Scans the Kubernetes RBAC for risky roles
  • Usage: python ExtensiveRoleCheck.py --clusterRole clusterroles.json --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json
krane
  • RBAC static Analysis & visualisation tool
  • Usage: krane report -k <context>
sa-hunter
  • Correlates serviceaccounts, pods and nodes to the permissions granted to them via rolebindings and clusterrolesbindings