A list of open source Kubernetes tools to assist those learning or those with small IT budgets wishing secure their environments and CICD tool chains. I’ve done my best to categorize the tools as “Reputable” and “Beware”. Use at your own risk.
Reputable Open Source security tools
Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.
- 500+ Policies for security best practices
- Scanning of Terraform (HCL2)
- Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
- Support for AWS, Azure, GCP, Kubernetes and GitHub
kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don’t own!
The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
Grype – A vulnerability scanner for container images and filesystems
Syft – CLI tool and library for generating a Software Bill of Materials from container images and filesystems
anchore-engine – A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
Anchore Kubernetes Admission Controller – It implements a Kubernetes Dynamic Webhook controller for interacting with Anchore Engine and making admission decisions based image properties as determined during analysis by Anchore Engine.
ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. The tool is a part of the “Kubernetes Pentest Methdology” blog post series.
Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL] in Kubernetes.
Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio’s control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes.
For example, by deploying OPA as an admission controller you can:
- Require specific labels on all resources.
- Require container images come from the corporate image registry.
- Require all Pods specify resource requests and limits.
- Prevent conflicting Ingress objects from being created.
kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
Encrypt your Secret into a SealedSecret, which is safe to store – even to a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret
BEWARE / untested – security tools
- Kube-Scan – kube-scan: Octarine k8s cluster risk assessment tool https://www.octarinesec.com/
- Permission manager – Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW https://sighup.io/
- Kubernetes Common Configuration Scoring System (KCCSS) – Kubernetes Common Configuration Scoring System https://www.octarinesec.com/
- rakkess – Review Access – kubectl plugin to show an access matrix for server resources
- klum – Kubernetes Lazy User Manager
- Kyverno – Kubernetes Native Policy Management https://kyverno.io
- kiosk – kiosk office Multi-Tenancy Extension For Kubernetes – Secure Cluster Sharing & Self-Service Namespace Provisioning
- kubeaudit – Audit your Kubernetes clusters against common security controls
- kubectl-bindrole – Find Kubernetes roles bound to a specified ServiceAccount, Group or User
- kubectl-dig – Deep Kubernetes visibility from the kubectl
- audit2rbac – Autogenerate RBAC policies based on Kubernetes audit logs
- rback – RBAC in Kubernetes visualizer
- trivy – A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI