Kubernetes KUBESEC

CozyFex included in kubernetes k8s orchestration kubesec

2021-07-08 204 words One minute

Contents

KUBESEC

Security risk analysis for Kubernetes resources
KUBESEC.IO

`kubesec-test.yaml`

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: Pod
metadata:
  name: kubesec-demo
spec:
  containers:
    - name: kubesec-demo
      image: gcr.io/google-samples/node-hello:1.0
      securityContext:
        readOnlyRootFilesystem: true

Command Line Usage

1
kubesec scan kubesec-test.yaml

Docker Usage

1
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

HTTP Server

CLI with HTTP

Run Background

1
kubesec http 8080 &

1
2
[1] 12345
{"severity":"info","timestamp":"2019-05-12T11:58:34.662+0100","caller":"server/server.go:69","message":"Starting HTTP server on port 8080"}

Test

1
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
[
  {
    "object": "Pod/security-context-demo.default",
    "valid": true,
    "message": "Failed with a score of -30 points",
    "score": -30,
    "scoring": {
      "critical": [
        {
          "selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN",
          "reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided"
        },
        {
          "selector": "containers[] .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user to ensure least privilege"
        },
  // ...

Kill the Process

1
kill %

Docker with HTTP

Run Docker

1
docker run -d -p 8080:8080 kubesec/kubesec:512c5e0 http 8080

Test

1
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan

Kubesec-as-a-Service

1
curl -sSX POST --data-binary @"k8s-deployment.yaml" https://v2.kubesec.io/scan