12 Scanners to Find Security Vulnerabilities and Misconfigurations in Kubernetes

Kubernetes has become the de facto operating system of the cloud. Developers love K8s because Kubernetes makes it easy for developers to package their applications into portable microservices.

More than 90% of companies dealing with cloud and microservices orchestration are going towards Kubernetes. There are more than 24,441 companies that use Kubernetes.

Have you ever wondered if your container is really safe or has an open door?

Although Kubernetes provides various security measures out of the box with. There are often other reasons that these gaps in security can arise. Here are examples:

• Configuration Misconfiguration: a recent study found that 70–75% of organizations have at least one serious AWS security misconfiguration.²

• Kubernetes API Service: Tesla found this out when it put the dashboard that is part of its main Kubernetes API service online without authentication.³

However, Kubernetes has only the most basic security features. And it doesn’t cover all the checks that are provided at CIS “Center of Internet Security”⁴. Unfortunately, Kubernetes does not provide this level of protection when it comes to sophisticated security monitoring and compliance enforcement by administrators.

As shown in Figure-2, there are several ways an attacker could try to compromise your Kubernetes cluster and the applications running on it.

We will not look at all the reasons why Vulnerabilities Secrutity could occur in Kubernetes cluster in this article. That will be considered in other articles.

I have collected several useful scanners in my recent projects to find vulnerabilities and misconfigurations in K8S and would like to present them to you in this article.

1. Kube-bench

Kube-bench is a scanner that checks whether Kubernetes is implemented securely or not by using the CIS Kubernetes Benchmark implementation as accurately as possible. Kube-bench was awarded a 2018 InfoWorld Basic Award.⁷

This is written in GO and it will output pass, fail, or warning messages with the appropriate section of the CIS Kubernetes Benchmark for Lookup through the tests that the tool runs.

Quick start

you can run kube-bench:

• inside a container:

docker run - pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest - version 1.18

• inside a Kubernetes-Cluster:

The supplied job.yaml file can be applied to run the tests as a job.

kubectl apply -f https://github.com/aquasecurity/kube-bench/blob/main/job.yaml

inside the EKS Cluster:

aws ecr create-repository — repository-name k8s/kube-bench — image-tag-mutability MUTABLE
kubectl apply -f https://github.com/aquasecurity/kube-bench/blob/main/job-eks.yaml

2. Kube-hunter

Kube-hunter as the name implies, it will hunt for security vulnerabilities in Kubernetes clusters. It is designed to increase awareness and visibility of security controls in Kubernetes environments. From outside the cluster, kube-hunter scans a domain or address range for open Kubernetes-related ports and tests for configuration issues that make your cluster vulnerable to attackers.

Quick start:

There are three different ways to run kube-hunter, each offering a different approach to discovering vulnerabilities in your cluster.

• You can run kube-hunter:

On any machine, select remote scanning and specify the IP address or domain name of your Kubernetes cluster. This will give you an overview of your Kubernetes setup from an attacker’s perspective.

pip install kube-hunter

• On a machine in the cluster

docker run -it — rm — network host aquasec/kube-hunter

• In a pod within the cluster

kubectl create -f https://github.com/aquasecurity/kube-hunter/blob/main/job.yaml

3. Kubeaudit

Kubeaudit detects security misconfigurations in your Kubernetes resources and gives tips on how to fix them.

Kubeaudit comes with a large list of “auditors” that test various aspects, such as the SecurityContext of pods.

Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various security aspects

Quick start:

You can install kubeaudit:

• via Homebrew:

brew install kubeaudit

• via Helm:

helm upgrade — install kubeaudit secureCodeBox/kubeaudit

Example:

$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml"
---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: deployment
    namespace: deployment-apps-v1

--------------------------------------------

-- [error] AppArmorAnnotationMissing
   Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.
   Metadata:
      Container: container
      MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container

-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.

-- [error] CapabilityShouldDropAll
   Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
   Metadata:
      Container: container
      Capability: AUDIT_WRITE
...

4. Kube-scan

With Kube-scan¹¹ you can get the risk score of your workloads. Kube-scan gives a risk score from 0 (no risk) to 10 (high risk) for each workload. Kube-scan is designed to help you understand which of your workloads are most at risk and why, and allows you to prioritize updates to your pod security policy, pod definitions, and manifest files to keep your risk under control.

Quick start:

• Kube-scan is a single pod deployment with a YAML file:

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml
kubectl port-forward — namespace kube-scan svc/kube-scan-ui 8080:80

• and then you can start the: http://localhost:8080

5. Kubesec

Kubesec is an open-source tool for assessing the security risk of Kubernetes workloads based on their YAML configuration.

Kubesec quantifies the risk to Kubernetes resources by validating the configuration files and manifest files used for Kubernetes deployments and operations.

Quick start:

Kubesec is available as:

• Docker Container:

docker.io/kubesec/kubesec:v2 https://hub.docker.com/r/kubesec/kubesec/tags

• Linux/MacOS/Win binary: https://github.com/controlplaneio/kubesec/releases
• Kubernetes Admission Controller: https://github.com/controlplaneio/kubesec-webhook
• Kubectl Plugin: https://github.com/controlplaneio/kubectl-kubesec

Example Command Line Usage:

kubesec scan k8s-deployment.yaml

6. Kube-score

Kube-score performs a static code analysis for all Kubernetes object definitions. The output is a list of recommendations on what you can improve to make your application more secure and resilient.

Quick start: You can easy install kube-score via:

• Docker: docker pull zegl/kube-score
• Homebrew: brew install kube-score
• Krew the plugin manager for kubectl command-line tool: kubectl krew install score

You can find here a full list of Checks

Example:

kube-score score my-app/*.yaml

7. KubiScan

KubiScan helps cluster administrators identify permissions that attackers could exploit to compromise clusters. KubiScan scans Kubernetes clusters for risky permissions in Kubernetes Role-based Access Control (RBAC) permission model. KubiScan can scan for pods that contain privileged service account tokens that can be abused for privilege escalation attacks or to compromise the cluster.

Quick start:

• You install KubiScan via:

- alias kubiscan='python3 https://github.com/cyberark/KubiScan/blob/master/KubiScan.py to use kubiscan

Example:

• Searching for pods with privileged account:

kubiscan -rp

• Verifying that this account appears in the risky subjects list:

kubiscan -rs

• Searching for all the rules this service account has:

kubiscan -aaes “risky-sa” -ns “default” -k “ServiceAccount”

8. Krane

Krane is a command line tool written in Ruby. Krane is a simple tool for static analysis of Kubernetes RBAC. It identifies potential security risks in K8’s RBAC design and makes suggestions on how to mitigate them. The Krane dashboard presents the current RBAC security posture and lets you navigate through the definition.

Quick start:

• You can install Krane vie:

gem install krane

and then:

krane deploy <app’s namespace> <kube context>

9. Illuminatio

Illuminatio is a utility for automatically testing Kubernetes network policies. Simply run illuminatio clean run and illuminatio will scan your Kubernetes cluster for network policies, create appropriate test cases, and execute them to determine if the policies are in effect.

Quick start:

• You can install illuminatio via:

pip3 install illuminatio

• or Kubectl Plugin:

ln -s $(which illuminatio) /usr/local/bin/kubectl-illuminatio
kubectl plugin list — name-only | grep illuminatio

Test your newly created NetworkPolicy:

illuminatio clean run

10. Checkov

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructures deployed with Terraform, Terraform Plan, Cloudformation, AWS SAM, Kubernetes, Dockerfile, Serverless, or ARM templates and detects security and compliance misconfigurations through graph-based scanning.

• Quick start:

You can easy install Checkov via:

• Python Package Manager:

pip3 install checkov

• Homebrew:

brew install checkov

Run It:

checkov — directory /user/path/to/iac/code

Or a specific file or files

checkov --file /user/tf/example.tf

11. MKIT

Managed Kubernetes Inspection Tool (MKIT) is an acronym for Managed Kubernetes Inspection Tool.

MKIT is a Managed Kubernetes Inspection Tool that uses FOSS tools to query and inspect various common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running in the cluster.

MKIT supports the following managed Kubernetes providers:

• Azure Kubernetes Service (AKS).

• Amazon Elastic Kubernetes service (EKS)

• Google Kubernetes Engine (GKE)

Quick start:

• Azure Kubernetes Service (AKS) Export your Azure credentials as local environment variables. The following are required:

AZURE_CLIENT_ID
AZURE_TENANT_ID
AZURE_CLIENT_SECRET
AZURE_SUBSCRIPTION_ID

• Run with the AKS option:

make run-aks resourcegroup=myResourceGroup clustername=my-aks-cluster-name

• Amazon Elastic Kubernetes Service (EKS)

Export your AWS credentials as local environment variables. The following are required:

AWS_PROFILE
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

Run with the EKS option:

make run-eks awsregion=us-east-1 clustername=my-eks-cluster-name

• Google Kubernetes Engine (GKE)

Authenticate with your Google Cloud credentials

gcloud auth application-default login

Run with the GKE option (be sure to specify project-id and not project-name):

make run-gke project_id=my-project-id location=us-central1 clustername=my-gke-cluster-name

• Run with the standalone Kubernetes option.

make run-k8s

Visit http://localhost:8000 to view the results of the scan.

12. Kubei

In a Kubernetes cluster, Kubei is used to analyze immediate threats. Most of Kubei is written in the Go programming language.

Kubei is a vulnerability scanning and CIS Docker benchmarking tool that allows users to get an accurate and immediate risk assessment of their Kubernetes clusters.

Quick start:

Kubei is also like Kube-scan has a signle pod deployment with a YAML file:

• Run the following command to deploy Kubei on the cluster:

kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml

Then, port forwarding into the Kubei webapp via the following command:

kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath=’{.items[0].metadata.name}’) 8080

In your browser, navigate to http://localhost:8080/view/ and then click ‘GO’ to run a scan.

To check the state of Kubei, and the progress of ongoing scans, run the following command:

kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath=’{.items[0].metadata.name}’)

Refresh the page (http://localhost:8080/view/) to update the results.

Which tool should you use?

It really depends on the use cases. One thing is for sure, you should look at these tools in depth and pick one or more scanners from them to ensure your existing use cases. Most of the tools offer a monitoring service, so there is an opportunity to integrate these metrics alongside your existing monitoring services. This way, when changes are made to containers, pods, Ingress and other Kubernetes configurations, vulnerabilities can always be monitored.

In general, you should not rely on the standard Kubernetes security, you have seen as with Tesla and other large projects, that very quickly can also go down the drain.

I hope I could lead a contribution in your Kubernetes Security world.