Kubernetes

Top 10 Kubernetes Security Tools

0
Kube-bench, from the Center for Internet Security (CIS), is an excellent tool that checks if your Kubernetes cluster and nodes meet CIS’s benchmarks. CIS is the semi-regulatory industry body that provides guidelines and benchmarking tests for writing secure code.
Kube-bench is available on Github. It is extra-useful because apart from highlighting non-compliant areas of your Kubernetes environment, it also gives you solutions and suggestions on how to fix them. In a nutshell, Kube-bench checks to ensure that user authorization and authentication are in accordance with the CIS guidelines, that the Kubernetes deployment follows the principle of least privilege, and that data is encrypted both at rest and also in transit.

Kube-hunter

Kube-hunter is a utility created by Aqua Security and is available on Github. It systematically trawls through your Kubernetes cluster and hunts down security threats. It enables admins to pinpoint vulnerabilities before attackers can exploit them. Kube-hunter works particularly well when paired with Kube-bench since the former’s discovery and penetration testing capabilities enhance the CIS validation points from Kube-bench. You can think of Kube-hunter as a Kubernetes-specific automated penetration tester.

Project Calico

This open-source solution is not specific to Kubernetes, and it’s mainly a networking technology but can be used for security purposes. It actually works on a wide range of platforms – Kubernetes, Docker enterprise, OpenStack, and even bare-metal services. Calico works by essentially creating a micro-firewall for every workload and applying and rendering predefined connectivity policies into rules on each micro-firewall.
Interestingly, by creating a firewall at the workload level, Calico can even manage and route pod-specific network traffic on individual network routers and switches.

Istio

Istio is an open-source service mesh that allows you to control, connect, and secure your services on Kubernetes. It provides functionality such as automatic load balancing, fine-grained traffic control, automatic metrics, logs collections, and secure service-to-service communication within a cluster.

Kubeaudit

Kubeaudit is a command-line-only tool used to audit clusters by checking them against predefined security checks. Some of these checks are: whether or not the ‘root’ account is disabled, whether or not the system allows privilege escalation, and if any Kubernetes images have incorrect tags.

NeuVector

NeuVector is a security suite compatible with both Kubernetes and OpenShift. Its main features are full-lifecycle container security and container-level network security. NeuVector offers plugins to integrate with clusters created on the major cloud platforms – AWS, Azure, Google Cloud, and even IBM and Alibaba cloud.
The NeuVector solution is itself delivered as a container that deploys easily on each host. It then creates a container firewall, host monitoring and security, security auditing with CIS benchmarks, and a vulnerability scanner.

Audit2rbac

Audti2rbac is a useful tool that generates RBAC (Role-Based Access Control) policies from your Kubernetes audit logs. You first need to enable auditing in your Kubernetes cluster and then call audit2rbac. The tool will then use the Kubernetes audit log generated to create an RBAC role and all affected objects.

Illuminatio

Illuminatio is a network policy validator tool from German vendor Inovex. Network policy validation is basically checking and confirming the functionality of your cluster’s firewall. When started, Illuminatio runs a scan on your Kubernetes cluster for all network policies, builds quick test cases for each policy, and executes the cases to determine if the policies are really effective and working as defined.
It is important to validate your network policies, not simply assume that they have been defined and therefore implemented. Sometimes network policies are declared but not enforced, especially when some individual nodes in your cluster have not yet synchronized their network policies to the overall cluster- defined policies in time.

Twistlock

Twistlock is another full-featured monitoring solution for Kubernetes, although it can also be used for several other platforms due to its cloud-native and API-enabled nature. It can be set up to continually monitor up to 200 built-in CIS benchmarks in your Kubernetes apps for vulnerability and compliance issues. And this can be done on the base host/ machine as well as Kubernetes containers and images. Note that Twistlock is not an open-source tool; it is only free for a trial basis or for a single, standalone cluster.

Kubesec.io

Kubesec.io is an open-source security analysis tool that scans and then assigns scores to your Kubernetes resources (deployments and pods) against a predefined list of security features. It helps to verify and align resource configurations to Kubernetes security best practices.

CMSeek – CMS Detection & Exploitation Suite

Previous article

Nmap – Security Scanner For Network Exploration & Security Audits

Next article

You may also like

Comments

Leave a reply

Your email address will not be published. Required fields are marked *

More in Kubernetes