Kubescape & Polaris — The security guard for your Kubernetes
About the Kubernetes Hardening, the notes on the 7th week of PKOS study
Kubernetes hardening refers to the security measures taken to secure Kubernetes systems. The National Security Agency (NSA) recommends the following steps for Kubernetes hardening…
- scanning containers and Pods for vulnerabilities or misconfiguration
- running them with the least privileges possible
- using network separation to control damage
- limiting network connectivity through firewalls and using encryption to protect confidentiality
- using strong authentication and authorization to limit user and administrator access
- monitoring audit logs for potential malicious activity
- periodically reviewing Kubernetes settings
- using vulnerability scans to ensure risks are appropriately accounted for and security patches are applied.
However, these recommendations are generic, and there are specific hardening techniques that should be addressed. For example, Kubernetes container services should not run as the root user, but many still do, making applications execute within them as root even though they don’t need privileged execution. Developers often build container applications that execute as root because it is easy, but it is also dangerous. Additionally, Kubernetes has its own security problems, such as the Kubernetes Capsule Operator reverse proxy privilege escalation flaw (CVE-2022–23652).
To ensure application security, DevOps engineers/SREs should adhere to the recommendations in the Cybersecurity Technical Report and conduct regular reviews of Kubernetes settings and vulnerability scans. The default install of Kubernetes is not necessarily secure, so orchestration platforms must be set up securely with proper configurations and periodically validated to reduce risk.
Kubescape is an open-source tool for Kubernetes that offers a single-pane-of-glass view of risk analysis, security compliance, RBAC visualization, and image vulnerability scanning. It can scan K8s clusters, YAML files, and HELM charts to detect misconfigurations according to multiple frameworks such as the NSA-CISA. By detecting these issues at early stages in the CI/CD pipeline, Kubescape can instantly calculate the risk score and display risk trends over time.
Kubescape is one of the Kubernetes tools that is growing the fastest among developers. Its easy-to-use CLI interface, flexible output formats, and automated scanning make it one of the most popular tools. It saves time, effort, and resources by providing automated scanning capabilities, which is a valuable feature for Kubernetes users and admins. Kubescape also integrates natively with other DevOps tools, including Jenkins, CircleCI, Github workflows, Prometheus, and Slack. It supports multi-cloud K8s deployments like EKS, GKE, and AKS.
Kubescape is based on the OPA engine and ARMO’s posture controls, making it a reliable and robust tool for Kubernetes security. With its ability to scan for vulnerabilities and misconfigurations and provide real-time risk analysis and trends, Kubescape is an essential tool for securing Kubernetes clusters.
Kubescape can be used through the CLI interface, and it can be easily installed by running a script downloaded from the web. After installation, users can execute the “scan” command to check for vulnerabilities in the Kubernetes cluster connected to the kubeconfig
.
To install Kubescape, you can run the following command.
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
After installing it, Scan the connected Kubernetes cluster for vulnerabilities or do the same thing on the website.
kubescape scan --submit --enable-host-scan --verbose
This command enables the host scan, submits the scan results, and displays verbose output. Kubescape also supports integration with other DevOps tools, enabling users to integrate it into their existing pipelines seamlessly. With its simple installation process and automated scanning capabilities, Kubescape is an efficient tool for securing Kubernetes clusters.
Polaris is an open-source project developed by Fairwinds that aims to identify configuration issues in Kubernetes that could impact its stability, reliability, scalability, and security. While creating a Kubernetes cluster is a straightforward process, ensuring its efficient operation at scale while maintaining its security is challenging. Common mistakes in cluster deployment can lead to significant issues later on. For example, failing to configure resource requests can break auto-scaling or even cause workloads to run out of resources. Polaris is designed to catch and prevent such problems from occurring.
Polaris offers a dashboard that enables auditing of Kubernetes workload configurations. Additionally, it provides a CLI utility for auditing Kubernetes YAML files.
Polaris also includes a webhook feature that prevents future deployments if they do not meet the configured standard. In addition to auditing Kubernetes resources, Polaris can also audit container health checks, image tags, networking, security settings, and other relevant configurations.
You can easily install Polaris using Helm. Just add the Fairwinds stable repository and fetch the Polaris chart using the following command.
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm fetch --untar fairwinds-stable/polaris
helm install polaris -f values.yml .
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
User Authentication and Authorization on Kubernetes are much clearer. Authentication is the process of identifying who a user is. It can be thought of as the process of logging in. Authorization is the process of checking if the authenticated user has the necessary permissions to perform a certain action.
Kubernetes manages two types of accounts: user accounts and service accounts.
- User Accounts: A user account is similar to a regular user ID that we commonly think of. Kubernetes does not have its own user account management system for authentication. It must use an external authentication system such as OAuth or Webhook to integrate with account systems.
- Service Accounts: Service accounts are used for system authentication when a client calls the Kubernetes API or when the console or other client accesses the Kubernetes API. Kubernetes separates service accounts from regular user accounts.
Creating a service account is simple. Just use the command kubectl create sa {service account name}
to create a service account. When a Pod is created, it is assigned a default service account, but this service account does not have permission to access the cluster information. Among the predefined ClusterRoles in Kubernetes, the view role has permission to access most of the information in the cluster.
For example, to create a service account named foo
, you can run like:
kubectl create sa foo
Kubernetes also provides various authentication methods depending on the purpose.
- Basic HTTP Auth: This method sends the user ID and password with each HTTP request and is not recommended due to the potential security risks.
- Access Token via HTTP Header: This method is commonly used in REST API authentication. After the user is authenticated, the API token assigned to the user is sent in the HTTP header.
- Client Certificate: This method uses certification to authenticate the client’s identification. It provides the highest level of security, but additional effort is required for certificate management.