A Lap around Kubernetes Security & Vulnerability scanning Tools — checkov, kube-hunter, kube-bench & Starboard

The Security management & vulnerability scanning is an indispensable part of Kubernetes. The container vulnerability scanning, node security, CIDR ranges IP scan, host security is to be essential to manage for Kubernetes cluster & also for managed Kubernetes resources (e.g. EKS, AKS, GKE etc). The security scanning is required from API server logging analysis to yaml pod manifest, container image vulnerability scanning, RBAC permission auditing, pod level security, network policy etc. There’re some of the major open source tools are available on this aspects. —

  1. Checkov: The checkov is a static code analytics tool for infra as code (Iac)platform which can be used for vulnerability scanning for Kubernetes yaml pod manifests. Checkov can also be executed on command line for code security vulnerability analysis for Kubernetes yaml manifest files & can be integrated with VS code IDE for runtime analysis of code.

You can execute the following scripts to create a checkov batch job first running in the kubernetes pod.

kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/checkov/master/kubernetes/checkov-job.yaml

Upon creation of the pod, you may view the batch jobs logs to review the scanned vulnerabilities.

kubectl get jobs -n checkov 
kubectl logs job/checkov -n checkov

Here goes the some of the vulnerabilities with CVE details:

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
SKIPPED for resource: Job.checkov.checkov
Suppress comment: Service Account is required for read-only API access
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
SKIPPED for resource: Job.checkov.checkov (container 0) - checkov
Suppress comment: Checkov requires filesystem write access to dump resource definitions
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
SKIPPED for resource: Job.checkov.checkov (container 0) - checkov
Suppress comment: Preferring latest rules every run - image pull always
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.nginx.default

Here goes the screenshot of the yaml code analysis & vulnerability scanning result.

checkov Kubernetes security vulneability scanning results

More details on Checkov yaml policy management & kubernetes integration policy details can be found in this following link.

2. Kube-bench — Kube-bench is an open source Kubernetes vulneability scanning tool adhere to CIS benchmark policy. It checks the yaml code & analyses, scans for vulnerabilities for Kubernetes whether it’s deployed as per CIS Kubernetes benchmark standards.

The Kube-bench can be executed as a kubernetes batch job on pod for vulnerability analysis. The Kube-bench code repo can be cloned from Github & can be installed directly from binary sources, executed with the following commands.

curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb -o kube-bench_0.6.2_linux_amd64.deb

sudo apt install ./kube-bench_0.6.2_linux_amd64.deb -f
./kube-bench --config-dir 'working_dir/cfg' --config 'working_dir/cfg/config.yaml'

you can then able to see the list of security checks passed, failed, warn & info for master node, control-plane, worker node, pod & on container level. Some of the checks like “minimize admission of privileged containers”, “minimize admission of containers with AllowPriviledgeEscalation”, “minimize admission of root containers” etc.

Kube-bench CIS Kubernetes benchmark scanning tool

3. Kube-hunter: The kube-hunter is a security analysis & vulnerability scanning tool for Kubernetes which examines the security bottlenecks in cluster. This tool is not intended for managed Kubernetes cluster like EKS, AKS, GKE & is to be executed on Master node API server for the Kubernetes. It helps to scan of remote Kubernetes master nodes with host address, interface scanning & network Port scanning. The K8-auto-discover-nodes flags can be used to query kubernetes for all nodes in the cluster & to scan them all.

Kube-hunter can be used by providing a specific service account token to use when scanning by manually passing the JWT bearer token of the service account secret token by passing the “service-account-token” flag.

$ kube-hunter --active --service-account-token <token_id>...

For scenarios with “pod” flag, kube-hunter utilises the service account token mounted in the pod to authenticate to services uses during the hunting.

Kube-hunter can be also used for Active hunting scenario for vulnerability hunting during which it may change the state of the cluster.

For Pod level scanning, the Kube-hunter batch job can be executed which can run kube-hunter in a pod & scans whether any malicious container is running in the pods.

You may need execute the following commands post cloning of the Kube-hunter github repo.

kubectl create namespace kube-hunter
kubectl create -f .job.yaml -n kube-hunter
kubectl describe job kube-hunter
kubectl logs <the_pod_name> -n kube-hunter
kube-hunter pod scanning results

The vulnerability results according to MITRE category, description & evidence is provided on kube-hunter pod logs scanning.

kubectl logs <kube-hunter-pod> -n kube-hunter
Kube-hunter vulnerability scanning in API server & pod level

4. Starboard: The Aqua security Starboard is native Kubernetes security toolkit which integrates the features of vulnerability scan, audit configuration, CIS benchmark policy adherence with Penetration test functionality. It also includes the brilliant reporting capabilities through UI/dashboard features for scan results through Prometheus, Grafana with Lens.

The starboard is can be installed on minikube, can be played on katakoda clusters or even in standalone mode of where Kubernetes cluster is installed. For binary release & installation guide, you may refer to this following guide.

Once installed, Starboard can be initialized with the following command.

starboard init 

which basically creates the starboard namespace in which starboard starts to scan the Kubernetes jobs. you can create custom deployment with starboard on kubernetes cluster like as the following —

kubernetes create deployment nginx --image nginx:1.16
starboard scan vulnerabilityreports deployment/nginx

These command uses the Trivy in standalone mode to scan for vulnerability in container images in deployments.

starboard get vulnerabilities deployment/nginx -o yaml

To retrieve the container deployment audit configuration report, the following commands are to be executed.

starboard scan configauditreports deployment/nginx
starboard get configaudit deployment/nginx -o yaml
The starboard vulnerability scanning report of nginx deployment

Here goes the screenshot of the audit configuration scanning reports of Kubernetes with pod level checks & container image audit logs scan results.

For more information, you may view the Aqua security Starboard getting started guide for Kubernetes deployment configuration scanning.