Securing Kubernetes

Kubernetes Auto Analyzer

Pipe Down

A couple of approaches can be taken to install Kubernetes Auto Analyzer: a Docker container or a Ruby Gem.

I will take the potentially trickier Ruby route to show you how I got it working. The tool needs a working Ruby environment to run correctly. Fret not, because I will run through the packages required on a freshly released (at the time of writing) stock CentOS 7.5 build first, which should also work for the better part on modern Fedora and Red Hat Enterprise Linux builds, too. If you already have a few of these packages installed, then simply add the ones not present.

If you are interested in using a Debian derivative, I have also successfully run Kubernetes Auto Analyzer on Ubuntu 16.04 without headaches. I’ll also briefly run through how I got it working on my Xenial 16.04 build, which admittedly might already have had a few of the required packages installed.

Occasional, irritatingly subtle package name changes occur between Linux flavors and distributions, but a quick Google search should reveal the package name you need to get your installation working. Don’t let your package manager’s ignorance of a certain package confuse you, just persevere. Dare I also say at this point, if you haven't guessed already, that you need a working Kubernetes installation?

For clarity’s sake, I would begin by running the sophisticated auditing tool on the Kubernetes Master node, first. When you run it on a slave (aka worker and, previously, minion) node, you will be able to check against any plaintext authentication security holes when the slaves communicate with the API server, which assists in running the Kubernetes cluster. From what I’ve seen, this usually applies to the defaults in older Kubernetes versions.

To demonstrate the tool’s potential, I’m going to use a local Minikube installation on my laptop to generate a report. (Minikube is a sophisticated, localized, stripped-down Kubernetes build that is great for testing and lacks the complexities a cloud cluster brings.)

A Wide Berth

I’ll start with a look at the CentOS 7.5 Kubernetes Auto Analyzer build packages. I’ve noticed that some cloud providers alter their stock Linux distributions a little to suit their own cloud environments. For example AWS might point the default NTP (Network Time Protocol) servers on a Linux machine image to an internal AWS time server, which lessens the need to talk to the Internet and reduces the server’s attack surface. Incidentally, AWS and, I think, Ubuntu 18.04 LTS are now mostly using Chrony; chronyd  is a stripped-down NTP server for extra security. As a result, the mileage involved in the installation of the required packages may vary. 

The packages installed in Listing 1 give you a good pointer toward a sane and working Ruby environment for your Kubernetes security testing. As you can see from the list of commands, I created a bare-minimum Ruby build on CentOS 7.5 working with Ruby gems. Figure 1 shows the final command needed to install the gems that get the security tool functioning.

Listing1: Installation on CentOS 7.5

$ yum update
$ yum -y upgrade; reboot
$ yum install ruby-devel.x86_64
$ yum install -y libxml2-devel libxslt-devel
$ yum install -y autoconf automake libtool bison
$ yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel
$ yum install -y libyaml-devel libffi-devel openssl-devel make bzip2
$ gem install public_suffix -v 2.0.5
$ yum info ruby # Needs to be v2.2+
$ curl -sSL https://rvm.io/mpapis.asc | gpg --import - # From here see https://tecadmin.net/install-ruby-latest-stable-centos
$ curl -L get.rvm.io | bash -s stable
$ source /etc/profile.d/rvm.sh
$ rvm reload
$ rvm requirements run
$ rvm install 2.5 # This may take a while
$ rvm list
$ rvm use 2.5 --default
$ ruby --version
$ gem update # Errors not related to kubeclient or kube_auto_analyzer don't stop it working
$ gem install --no-document json kubeclient kube_auto_analyzer
Figure 1: Success is denoted by Ruby’s gem being happy at the end of the process, as seen with the CentOS 7.5 Linux distribution.

In case you’re wondering, I needed to bump up the Ruby version (I chose v2.5), and I used rvm , which was perfectly documented online. If you get a bit lost with my notes and the rvm  section, then just refer to the documentation. I’ve tested these commands on a cloud platform I’ve recently discovered called Vultr. They’re worth a look if you’re not aware of their service. I’ve been suitably impressed in terms of cost and quality so far.

Keeling Over

For the Ubuntu 16.04 build, I used the following packages:

$ apt install rubygems-integration
$ apt install ruby-all-dev
$ apt install gem 
$ apt install -y make bzip2
$ gem install  --no-document json kubeclient kube_auto_analyzer

Remember, I might already have had some of the packages shown in the CentOS commands in Listing 1 installed, because my Ubuntu laptop is well used. If these commands don’t work for you, you can look up the equivalent Ubuntu packages or go down the Docker route. The installation commands here show the packages I needed.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Monitoring container clusters with Prometheus
    In native cloud environments, classic monitoring tools reach their limits when monitoring transient objects such as containers. Prometheus closes this gap, which Kubernetes complements, thanks to its conceptual similarity, simple structure, and far-reaching automation.
  • Correctly integrating containers
    If you run microservices in containers, they are forced to communicate with each other – and with the outside world. We explain how to network pods and nodes in Kubernetes.
  • Safeguard and scale containers
    Security, deployment, and updates for thousands of nodes prove challenging in practice, but with CoreOS and Kubernetes, you can orchestrate container-based web applications in large landscapes.
  • A Hands-on Look at Kubernetes with OpenAI
    For research into deep learning algorithms that automatically acquire new skills, OpenAI operates some of the largest Kubernetes clusters worldwide, with up to 36,000 CPU cores. We look at some practical experience with the container management system.
  • OpenShift 3: Platform as a Service
    Red Hat's OpenShift is aimed at companies seeking low-maintenance PaaS environments in which they can develop and test applications.
comments powered by Disqus