In the past few years, there has been a huge increase in the use of containers and microservices, and there has been a huge boom in the use of Kubernetes clusters for deploying application workloads. However, these Kubernetes clusters suffer from security breaches because of over-permissive states and security misconfigurations. Organizations and individual users now need monitoring and observability strategies to help identify the common vulnerabilities or testing the resilience of their Kubernetes environments. For this, they can use several open-source tools freely available online. Here are some reliable security tools a user can choose when working with Kubernetes.
Kube-hunter is an open-source tool that is used to find security weaknesses in Kubernetes clusters. The tool is used to identify the security flaws in Kubernetes environments. This tool has been developed by Aqua Security, a container security firm.
There are three ways to run Kube-hunter. Each way offers a different approach to identify weaknesses in a cluster: First, run Kube-hunter on any machine (such as a laptop) and select remote scanning to obtain the domain name or IP address of the Kubernetes cluster. This provides a view of the entire Kubernetes system from an attacker’s perspective. Second, the user can run Kube-hunter right on a machine in the cluster and then opt to investigate all the local network interfaces. Third and last, users can run Kube-hunter in a pod inside the cluster. This shows (for example) that if one of the application pods is exposed through a software vulnerability, how exposed a cluster would be.
This tool is offered as a container and available on the website kube-hunter.aquasec.com, where interested users can register online to receive a token allowing them to see or share the results online. Additionally, users can run the Python code themselves. Its latest version v0.5.0 was released in April.
Kube-monkey is an open-source tool, which is an implementation of Netflix’s Chaos Monkey, and used for Kubernetes clusters. It is written in Go language, and it helps in testing the failure resilience of the system via random deletion of Kubernetes pods in the cluster.
This tool works on an opt-in model, which means that testing is applicable only for those Kubernetes clusters that agree to take part (opt-in) for this testing. The tool runs as deployment in the Kubernetes cluster, and it deletes pods with the use of Kube API to inject failure in the system and test the stability of the remaining pods. This tool does not offer the ability to interrupt the nodes themselves or affect the network or IO. It is only used as a pod-killing tool. Nonetheless, it is fast to deploy and configure, allowing its users to simulate and test their product’s resiliency to pod failure. The pod termination schedule is performed once a day on weekdays at a changeable time (default is 8 a.m.). This type of testing can help understand how quickly the entire system or specific services will come back online if it faces a random outage at a microservice level.
The tool is open-source and can be easily used by any interested individual to download, share or use it. Further details regarding the use of Kube-Monkey can be found on its official GitHub repository. The latest version of this tool, released in November 2018, is Release 0.3.0.
Kube-burner is a tool aimed at stressing Kubernetes clusters and stress-testing several OpenShift components by coordinating the deletion and creation of k8s resources. The tool works well with vanilla Kubernetes and other distributions, all a user needs is the Kubernetes API.
This tool has a statically compiled binary, written in Go language, that makes thorough use of the client-go library to work with the API. The configuration used by this tool is defined in the YAML configuration file. It can delete or create thousands of objects described in the configuration file. The tool features provided by this tool can be summarized in three steps: creating or deleting the objects declared in the jobs, collecting the desired on-cluster Prometheus metrics, and writing or indexing them to the configured TSDB. In addition, the tool offers other features such as standalone metrics collection, alerting, PProf collection, and pod startup latency measurements.
It is an open-source tool, available for anyone to use, share or download. Its latest version is v0.9.1, released in March that added several custom functions for more template functions and several other enhancements.
Sonobuoy is an open-sourced diagnostic tool used to understand the overall security level of a Kubernetes cluster by running a set of plugins, including Kubernetes conformance tests. It is extendable, cluster-agnostic, and customizable to generate clear, informative reports about the Kubernetes cluster.
The diagnostic tool has selective data dumps of Kubernetes resource objects and cluster nodes that allow for the following use scenarios: workload debugging, integrated end-to-end conformance-testing, and custom data collection via extensible plugins. From version 0.20, this tool supports Kubernetes v1.17 or later. This tool’s releases are independent of the Kubernetes release while ensuring that new releases functionally continue to work over different versions of Kubernetes. This tool has plugin support (for example, reliability scanner project) that allows its operators and developers to extend the system with extra tests.
This diagnostic tool is powered by the Certified Kubernetes Conformance Program, founded by the Cloud Native Computing Foundation (CNCF), and used by every Certified Kubernetes Service Provider. Its latest version v0.50.0 was released in March with support for distro-less images.
PowerfulSeal is a testing tool that injects failure into Kubernetes clusters so that a user can identify problems as soon as possible. It allows for writing scenarios defining the complete chaos experiments. In addition, this tool works with OpenStack, Kubernetes, Azure, AWS, local machines, and Google Cloud Platform.
The tool is specifically designed for the Kubernetes environment. It can define objects running in each container so it knows exactly which things it needs to break for testing reasons. It has multiple modes for different use cases. For example, the interactive mode enables systems engineers to experiment or observe how it behaves on clusters, and over time, they can build their own testing policies. It has support for YAML policies that describe the complete chaos experiments. These policies can be fine-tuned in lots of ways, such as creating rules for the time of day, probability, how much of the application to break, or where to break it. Once deployed, this tool runs in autonomous mode.
This tool is released as an open-source tool via Bloomberg’s GitHub repository, freely available to use. The latest version of this tool is 3.2.0 released in April that added the Alertmanager silencing support. Additionally, this tool is inspired by the infamous Netflix Chaos Monkey.
Identify and fix Kubernetes security holes with these tools
With the significant rise of new architectures such as microservices and container orchestration tools, the way of monitoring and testing these clusters is changing. These new changes now involve new concepts such as observability. The tools mentioned above can help to get a little closer to identifying and mitigating security misconfigurations related to the latest trends and concepts. Moreover, the use of these tools can help DevOps to manage their Kubernetes better.
Featured image: Shutterstock/TechGenix photo illustration