Kubernetes Security Check (k8s-sec-check)

Kubernetes Security Check automates the complex security checks based on CIS guidelines.

Table of Contents

• Background
• Architecture
• Install
• Usage
• Maintainers
• Contribute
• License

Background

There are many tools in the open-source world that provide a way to certify the security of Kubernetes security and some tools are also implemented based on the detailed CIS guidelines. However, not all tools are covering complex security checks. For example. Pod Security Policy checks. Kubernetes Security Check automates the complex security checks based on CIS guidelines. It can be further extended to add more checks as well.

Architecture

The Kube security check tool is a simple test suite based on Ginkgo. Once the binary is built, it can be run remotely by simply passing the KUBECONFIG environment variable which represents the path to a Kubernetes configuration file. Currently, it covers the following tests with respective Kubernetes fields:

• User impersonation
  • Impersonate Kubernetes calls as a user
• Do not admit container with restricted volume e.g flexVolume, hostPath
  • Volume - AllowedHostPaths
• Pod Security Policy:
  • Do not admit privileged containers
    • Security Context: privileged
  • Do not admit containers wishing to share the host process ID namespace
    • hostPID
  • Do not admit containers wishing to share the host IPC namespace
    • hostIPC
  • Do not admit containers wishing to share the host network namespace
    • hostNetwork
  • Do not admit containers with dangerous capabilities
    • allowedCapabilities

Install

Make sure to set the relevant namespace, service account, and context in the kubeconfig file.

export KUBECONFIG=~/.kube/config

Run the binary: k8s-sec-check

Usage

If checks are being run remotely using the KUBECONFIG file, users must set the following environment variables.

KUBECONFIG: Kubeconfig file absolute path.

• Set environment variable with KUBECONFIG to run the tests remotely.
• If the KUBECONFIG variable is not set, it sets to INCLUSTERCONFIG by default.

KUBE_NAMESPACE : Target Kubernetes namespace to run tests (default: k8s-sec-check)

KUBE_SERVICEACCOUNT: Target Kubernetes Service account to be used during tests. (default: k8s-sec-check)

Maintainers

Core Team : omega-core@verizonmedia.com

Contribute

Please refer to the contributing file for information about how to get involved. We welcome issues, questions, and pull requests.

License

Copyright 2019 Oath Inc. Licensed under the Apache License, Version 2.0 (the "License")