Skip to content

Audit

CIS

Tool Description
docker-bench
  • Checks for common best-practices around deploying Docker containers in production
  • Usage:
    • docker run -it --net host --pid host --userns host --cap-add audit_control \
      -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
      -v /var/lib:/var/lib \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -v /usr/lib/systemd:/usr/lib/systemd \
      -v /etc:/etc \
      --label docker_bench_security \
      docker/docker-bench-security
kube-bench
  • Checks whether Kubernetes is deployed according to security best practices
  • kube-bench-exporter can export reports to remote targets like S3

General

Tool Description
kubesec
  • Quantify risk for Kubernetes resources
  • Usage:
    • krew install kubesec-scan
    • kubectl kubesec-scan pod hello-node-7f5b6bd6b8-26cm9
kubepox
  • Kubernetes network Policy exploration tool
  • Allows to query all the defined network policies and associated affected Pods
mkit
  • Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes clusters
  • It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found
starboard
  • Integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way
  • kubectl-compatible command-line tool and an Octant plug-in
nsenter
  • Tool for debugging container networking
  • If you know the pause PID, you can effectively use any tools installed on the host (not the container) against the pod’s network namespace
  • Usage: $ nsenter -t <pause-pid> -n tcpdump -i eth0
gke-auditor
  • A tool to detect a set of common Google Kubernetes Engine misconfigurations
Manual
  • List images in use across all nodes: kubectl get nodes -ojsonpath='{range .items[*].status.images[*]}{.names[0]}{"\n"}{end}' | sort | uniq

RBAC

Tool Description
kubectl
  • List all resources and sub resources that can be constrained with RBAC
  • kubectl get --raw /openapi/v2 | jq '.paths | keys[]'
kubectl-can-i
  • To find out if you can perform a verb on a resource
  • Also use Kubernetes' Impersonation API to see if another account is able to access a resource
  • Usage:
    • Find out if you can perform a verb on a resource: $ kubectl auth can-i get pods
    • Confirm that you've been given cluster-admin permissions: $ kubectl auth can-i "*" "*"
    • List all the actions you can perform in a namespace: $ kubectl auth can-i --list --namespace=secure
    • Impersonation: take the Service Account named "unprivileged-service-account" (scoped to the "secure" namespace) and see if it has access to get pods: $ kubectl auth can-i get pod --as system:serviceaccount:secure:unprivileged-service-account
kubectl-who-can
  • Show who has permissions to <verb> <resources> in kubernetes
  • Usage:
    • See who has access to a secret ("cluster-admin-creds" in the "secure" namespace):
      $ kubectl who-can get secret cluster-admin-creds -n secure
Rakkess
  • Show an access matrix for k8s server resources
  • Ideal for looking at a ServiceAccount object and trying to determine what it has access to
  • Usage:
    • Dump what your account has access to: $ kubectl access-matrix
    • Look at what a particular Service Account can access: $ kubectl access_matrix --as system:serviceaccount:secure:unprivileged-service-account -n secure
rback
  • RBAC in Kubernetes visualizer
  • Queries all RBAC related information and generates a graph representation of service accounts, (cluster) roles, and the respective access rules
  • Usage:
    • $ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback > result.dot
    • $ dot -Tpng results.dot > /tmp/rback.png && open /tmp/rback.png
rbac-view
  • Visualize Kubernetes RBAC rules
  • Usage:
    • $ kubectl rbac-view
      # serving RBAC View and http://localhost:8800
kubiscan
  • Scan for risky permissions and users in RBAC
  • Can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker
  • Usage:
    • Run from MASTER node: docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD]
    • Search for pods with privileged accounts: kubiscan -rp
    • Show all risky subjects (users, service accounts, groups): kubiscan -rs
    • Show all the rules a service account has: kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount"
    • List service account RoleBindings: kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"
rbac-lookup
  • Find Kubernetes roles and cluster roles bound to any user, service account, or group name
  • Usage: rbac-lookup rob --output wide
kubectl-rolesum
  • Summarize RBAC roles for the specified subject (ServiceAccount, User and Group)
  • Usage: kubectl rolesum -k Group developer
kubernetes-rbac-audit
  • Scans the Kubernetes RBAC for risky roles
  • Usage: python ExtensiveRoleCheck.py --clusterRole clusterroles.json --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json
krane
  • RBAC static Analysis & visualisation tool
  • Usage: krane report -k <context>
Back to top