Kubernetes Auto Analyzer
Securing Kubernetes
Special Thanks: This article was made possible by support from Linux Professional Institute
Few software applications have changed the way modern infrastructure works – not Infrastructure as a Service provisioning, such as Amazon Web Services, but applications. Outside of desktop-style applications (e.g., Software as a Service), which of course can’t really be counted as infrastructure, I cannot pick many examples out of the air without careful consideration, although I suppose virtualization software, which needs hardware innovations to some extent, might fit. You certainly, however, can fly the flag for Docker as one of the recent game-changers, providing software developers fully portable, boxed-up units of code that will work exactly the same way in a test environment as in a production environment. To be fair to its predecessors, some of the container concepts on which Docker is built have existed longer than the Docker project .
Thanks to neat and tidy containers of code, Docker was surfing the crest of a wave for a number of years (and arguably still is), releasing ship-loads of exciting new features, with a momentum that was hard to match. As the adoption of containers grew, suddenly a need arose for an automated way of steering the ships holding the containers, because developers and infrastructure operators realized that when you hit an n th number of containers, it’s akin to herding cats.
From such scenarios, the exceptionally popular Kubernetes (which in Greek means “pilot” or “helm”) began to gain traction. Kubernetes is now used by multinational enterprises that embraced containers sooner rather than later and trusted it with high-value production workloads. As a DevSecOps consultant by trade, I’m going to lead the conversation to a deal-breaking preriquisite required to keep Kubernetes running as expected in an enterprise: security.
Batten the Hatches
One of the barriers to Kubernetes adoption is its complexity. Its authors, however, have made a grand job of documenting new releases and features in an accessible, detailed manner. Over time, the installation process, which initially had a reputation for being a little too arcane for beginners, has been simplified by both the authors and others.
With security in mind, ever-evolving complexity from a piece of software brings headaches. That complexity might be related to the numerous add-ons that Kubernetes supports, its core features, or newly released or deprecated features. These problems seem to be most prevalent in software that releases new features very frequently, which both Docker and Kubernetes certainly do with the constant introduction of innovations.
Up to the Gunwales
Thankfully, security professionals working in the industry become aware of such issues and super-clever people come up with a solution in one form or another. That’s precisely the case when it comes to securing Kubernetes. The NCC Group are at the forefront of the security field and offer penetration testing, among many other services. Their website describes their business as “The global experts in cyber security & risk mitigation.”
As part of the test suite for your own penetration tests, you couldn’t do much better than the Kubernetes Auto Analyzer tool, which the NCC Group have kindly open sourced. You can find much more about the tool on the official GitHub page, which focuses on industry-consensus recommendations for securing Kubernetes using the CIS Benchmarks. If you haven't come across CIS Benchmarks before, they are sophisticated security recommendations to help secure operating systems and applications of many flavors and varieties. Referring to the benchmarks, the website says: “With our global community of cybersecurity experts, we’ve developed CIS Benchmarks: 100+ configuration guidelines for various technology groups to safeguard systems against today’s evolving cyber threats.”
What does this mean for the trusty Kubernetes Auto Analyzer? The good news is that when reports are generated to fill in the blanks about your Kubernetes security holes and you want further details, it’s possible simply to refer directly to the section numbering in the CIS Benchmark report. I have found that Kubernetes Auto Analyzer also offers a useful amount of detail; between the two reference sources, you should be suitably armed with enough information to secure your Kubernetes cluster.
Knowing the Ropes
The Kubernetes Auto Analyzer was written in the Ruby programming language by Rory McCune, an industry leader in the Kubernetes security space (you can find some interesting containers and security information on his website. I contacted McCune and was grateful for his friendly and detailed response.
His main motivations for writing the Kubernetes Auto Analyzertool were “… the same reason[s] I write most of my code, which is to speed up things on [penetration] tests. One of the things that's pretty much a constant in pentesting is having a lot of ground to cover in a limited time, so anything that can be automated is a bonus.”
McCune went on to say that, in creating the tool, he was also able to teach himself how to discern between the idiosyncrasies of both vanilla and managed Kubernetes installations, which is no mean feat. For the security professional, he also explained that being able to access archived historical reports was helpful – hence the format of the output produced by the tool.
He continued: “The tool is very focused on the security reviewer use case, which is why I've tried to record evidence for each finding, so that a tester can revisit things during a report-writing phase (typically done after the test) and review the evidence they've assembled to support their findings.”
The comprehensive reporting output, which I will look at shortly, is a single, nicely formatted HTML page. First, however, I will look at installing the tool on both CentOS 7.5 and Ubuntu 16.04.
Buy this article as PDF
(incl. VAT)