Kubernetes Auto Analyzer

Securing Kubernetes

Article from ADMIN 48/2018
By
The fast pace of Kubernetes development can patch and introduce security vulnerabilities between versions. The Kubernetes Auto Analyzer configuration analyzer tool automates the review of Kubernetes installations against CIS Benchmarks.

Special Thanks: This article was made possible by support from  Linux Professional Institute

Few software applications have changed the way modern infrastructure works – not Infrastructure as a Service provisioning, such as Amazon Web Services, but applications. Outside of desktop-style applications (e.g., Software as a Service), which of course can’t really be counted as infrastructure, I cannot pick many examples out of the air without careful consideration, although I suppose virtualization software, which needs hardware innovations to some extent, might fit. You certainly, however, can fly the flag for Docker as one of the recent game-changers, providing software developers fully portable, boxed-up units of code that will work exactly the same way in a test environment as in a production environment. To be fair to its predecessors, some of the container concepts on which Docker is built have existed longer than the Docker project .

Thanks to neat and tidy containers of code, Docker was surfing the crest of a wave for a number of years (and arguably still is), releasing ship-loads of exciting new features, with a momentum that was hard to match. As the adoption of containers grew, suddenly a need arose for an automated way of steering the ships holding the containers, because developers and infrastructure operators realized that when you hit an n th number of containers, it’s akin to herding cats.

From such scenarios, the exceptionally popular Kubernetes (which in Greek means “pilot” or “helm”) began to gain traction. Kubernetes is now used by multinational enterprises that embraced containers sooner rather than later and trusted it with high-value production workloads. As a DevSecOps consultant by trade, I’m going to lead the conversation to a deal-breaking preriquisite required to keep Kubernetes running as expected in an enterprise: security.

Batten the Hatches

One of the barriers to Kubernetes adoption is its complexity. Its authors, however, have made a grand job of documenting new releases and features in an accessible, detailed manner. Over time, the installation process, which initially had a reputation for being a little too arcane for beginners, has been simplified by both the authors and others.

With security in mind, ever-evolving complexity from a piece of software brings headaches. That complexity might be related to the numerous add-ons that Kubernetes supports, its core features, or newly released or deprecated features. These problems seem to be most prevalent in software that releases new features very frequently, which both Docker and Kubernetes certainly do with the constant introduction of innovations.

Up to the Gunwales

Thankfully, security professionals working in the industry become aware of such issues and super-clever people come up with a solution in one form or another. That’s precisely the case when it comes to securing Kubernetes. The NCC Group are at the forefront of the security field and offer penetration testing, among many other services. Their website describes their business as “The global experts in cyber security & risk mitigation.”

As part of the test suite for your own penetration tests, you couldn’t do much better than the Kubernetes Auto Analyzer tool, which the NCC Group have kindly open sourced. You can find much more about the tool on the official GitHub page, which focuses on industry-consensus recommendations for securing Kubernetes using the CIS Benchmarks. If you haven't come across CIS Benchmarks before, they are sophisticated security recommendations to help secure operating systems and applications of many flavors and varieties. Referring to the benchmarks, the website says: “With our global community of cybersecurity experts, we’ve developed CIS Benchmarks: 100+ configuration guidelines for various technology groups to safeguard systems against today’s evolving cyber threats.”

What does this mean for the trusty Kubernetes Auto Analyzer? The good news is that when reports are generated to fill in the blanks about your Kubernetes security holes and you want further details, it’s possible simply to refer directly to the section numbering in the CIS Benchmark report. I have found that Kubernetes Auto Analyzer also offers a useful amount of detail; between the two reference sources, you should be suitably armed with enough information to secure your Kubernetes cluster.

Knowing the Ropes

The Kubernetes Auto Analyzer was written in the Ruby programming language by Rory McCune, an industry leader in the Kubernetes security space (you can find some interesting containers and security information on his website. I contacted McCune and was grateful for his friendly and detailed response. 

His main motivations for writing the Kubernetes Auto Analyzertool were “… the same reason[s] I write most of my code, which is to speed up things on [penetration] tests. One of the things that's pretty much a constant in pentesting is having a lot of ground to cover in a limited time, so anything that can be automated is a bonus.”

McCune went on to say that, in creating the tool, he was also able to teach himself how to discern between the idiosyncrasies of both vanilla and managed Kubernetes installations, which is no mean feat. For the security professional, he also explained that being able to access archived historical reports was helpful – hence the format of the output produced by the tool.

He continued: “The tool is very focused on the security reviewer use case, which is why I've tried to record evidence for each finding, so that a tester can revisit things during a report-writing phase (typically done after the test) and review the evidence they've assembled to support their findings.”

The comprehensive reporting output, which I will look at shortly, is a single, nicely formatted HTML page. First, however, I will look at installing the tool on both CentOS 7.5 and Ubuntu 16.04.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Monitoring container clusters with Prometheus
    In native cloud environments, classic monitoring tools reach their limits when monitoring transient objects such as containers. Prometheus closes this gap, which Kubernetes complements, thanks to its conceptual similarity, simple structure, and far-reaching automation.
  • Correctly integrating containers
    If you run microservices in containers, they are forced to communicate with each other – and with the outside world. We explain how to network pods and nodes in Kubernetes.
  • Safeguard and scale containers
    Security, deployment, and updates for thousands of nodes prove challenging in practice, but with CoreOS and Kubernetes, you can orchestrate container-based web applications in large landscapes.
  • A Hands-on Look at Kubernetes with OpenAI
    For research into deep learning algorithms that automatically acquire new skills, OpenAI operates some of the largest Kubernetes clusters worldwide, with up to 36,000 CPU cores. We look at some practical experience with the container management system.
  • OpenShift 3: Platform as a Service
    Red Hat's OpenShift is aimed at companies seeking low-maintenance PaaS environments in which they can develop and test applications.
comments powered by Disqus