Kubernetes 体验 kubescape
长孙作人
Kubescape概述
Kubescape是一个开源的Kubernetes安全平台,适用于IDE、CI/CD流水线和集群。它包括风险分析、安全合规和错误配置扫描。它针对DevSecOps从业者或平台工程师,提供了一个易于使用的CLI界面,灵活的输出格式,以及自动扫描功能。
Kubescape扫描集群、YAML文件和Helm charts。它根据多个框架(包括NSA-CISA、MITRE ATT&CK®和CIS Benchmark)检测错误配置。
Kubescape由ARMO创建,是云原生计算基金会(CNCF)的一个沙盒项目。
Github 仓库地址
https://github.com/kubescape/kubescape
安装 Kubescape
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
使用示例
-
扫描一个正在运行的Kubernetes集群,
kubescape scan --enable-host-scan输出结果示例,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Controls: 172 (Failed: 71, Excluded: 6, Skipped: 3) Failed Resources by Severity: Critical — 0, High — 35, Medium — 143, Low — 18 +----------+---------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | SEVERITY | CONTROL NAME | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE | +----------+---------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | High | Resources memory limit and request | 3 | 5 | 9 | 29% | | High | Resource limits | 3 | 6 | 9 | 29% | | High | Applications credentials in configuration files | 0 | 1 | 26 | 0% | | High | List Kubernetes secrets | 1 | 3 | 20 | 5% | | High | HostNetwork access | 1 | 5 | 9 | 10% | | High | Writable hostPath mount | 1 | 3 | 9 | 10% | | High | Insecure capabilities | 1 | 0 | 9 | 10% | | High | HostPath mount | 1 | 4 | 9 | 10% | | High | Resources CPU limit and request | 3 | 6 | 9 | 29% | | High | Privileged container | 0 | 1 | 9 | 0% | | High | Workloads with Critical vulnerabilities exposed to external traffic | 0 | 0 | 0 | skipped* | | High | Workloads with RCE vulnerabilities exposed to external traffic | 0 | 0 | 0 | skipped* | | High | CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive | 1 | 0 | 1 | 100% | | High | CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false | 1 | 0 | 1 | 100% | | High | CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate | 1 | 0 | 1 | 100% | | High | CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set | 1 | 0 | 1 | 100% | | High | CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate | 1 | 0 | 2 | 50% | | High | CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive | 1 | 0 | 1 | 100% | | High | CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive | 1 | 0 | 1 | 100% | | High | CIS-5.2.2 Minimize the admission of privileged containers | 5 | 4 | 9 | 56% | | High | CIS-5.2.11 Minimize the admission of Windows HostProcess Containers | 5 | 4 | 9 | 56% | | High | CIS-5.7.3 Apply Security Context to Your Pods and Containers | 4 | 5 | 9 | 39% | | Medium | Data Destruction | 0 | 1 | 20 | 0% | | Medium | Non-root containers | 3 | 6 | 9 | 29% | | Medium | Allow privilege escalation | 3 | 5 | 9 | 29% | | Medium | Ingress and Egress blocked | 3 | 6 | 9 | 29% | | Medium | Automatic mapping of service account | 11 | 44 | 55 | 20% | | Medium | Access container service account | 1 | 5 | 6 | 17% | | Medium | Cluster internal networking | 5 | 4 | 9 | 56% | | Medium | Linux hardening | 3 | 1 | 9 | 29% | | Medium | Configured liveness probe | 2 | 1 | 9 | 20% | | Medium | Secret/ETCD encryption enabled | 1 | 0 | 1 | 100% | | Medium | Audit logs enabled | 1 | 0 | 1 | 100% | | Medium | Images from allowed registry | 4 | 5 | 9 | 39% | | Medium | Workloads with excessive amount of vulnerabilities | 0 | 0 | 0 | skipped* | | Medium | CVE-2022-0492-cgroups-container-escape | 3 | 1 | 9 | 29% | | Medium | CIS-1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate | 1 | 0 | 1 | 100% | | Medium | CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers | 1 | 0 | 1 | 100% | | Medium | CIS-1.3.1 Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate | 0 | 1 | 1 | 0% | | Medium | CIS-3.2.1 Ensure that a minimal audit policy is created | 1 | 0 | 1 | 100% | | Medium | CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive | 1 | 0 | 1 | 100% | | Medium | CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true | 1 | 0 | 1 | 100% | | Medium | CIS-5.1.2 Minimize access to secrets | 1 | 3 | 20 | 5% | | Medium | CIS-5.1.5 Ensure that default service accounts are not actively used | 8 | 7 | 18 | 44% | | Medium | CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary | 12 | 43 | 55 | 21% | | Medium | CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place | 4 | 4 | 9 | 44% | | Medium | CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.7 Minimize the admission of root containers | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.9 Minimize the admission of containers with added capabilities | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.10 Minimize the admission of containers with capabilities assigned | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.12 Minimize the admission of HostPath volumes | 5 | 4 | 9 | 56% | | Medium | CIS-5.2.13 Minimize the admission of containers which use HostPorts | 5 | 4 | 9 | 56% | | Medium | CIS-5.3.1 Ensure that the CNI in use supports Network Policies | 1 | 0 | 1 | 100% | | Medium | CIS-5.3.2 Ensure that all Namespaces have Network Policies defined | 5 | 4 | 9 | 56% | | Medium | CIS-5.7.1 Create administrative boundaries between resources using namespaces | 5 | 4 | 9 | 56% | | Medium | CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | 3 | 2 | 9 | 29% | | Medium | CIS-5.7.4 The default namespace should not be used | 3 | 3 | 116 | 3% | | Low | Immutable container filesystem | 2 | 5 | 9 | 20% | | Low | Configured readiness probe | 2 | 4 | 9 | 20% | | Low | Network mapping | 5 | 4 | 9 | 56% | | Low | PSP enabled | 1 | 0 | 1 | 100% | | Low | Naked PODs | 1 | 0 | 10 | 10% | | Low | Image pull policy on latest tag | 1 | 0 | 9 | 10% | | Low | Label usage for resources | 1 | 2 | 9 | 10% | | Low | K8s common labels usage | 2 | 6 | 9 | 20% | | Low | CIS-1.2.17 Ensure that the API Server --profiling argument is set to false | 1 | 0 | 1 | 100% | | Low | CIS-1.3.2 Ensure that the Controller Manager --profiling argument is set to false | 0 | 1 | 1 | 0% | | Low | CIS-1.4.1 Ensure that the Scheduler --profiling argument is set to false | 0 | 1 | 1 | 0% | | Low | CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true | 1 | 0 | 1 | 100% | | Low | CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true | 1 | 0 | 1 | 100% | +----------+---------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | | RESOURCE SUMMARY | 23 | 54 | 157 | 17.37% | +----------+---------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ FRAMEWORKS: ArmoBest (risk: 12.51), cis-v1.23-t1.0.1 (risk: 23.86), DevOpsBest (risk: 16.29), AllControls (risk: 11.71), MITRE (risk: 4.65), NSA (risk: 13.46)加上
--verbose可以输出更详细信息,kubescape scan --enable-host-scan --verbose -
使用NSA框架扫描正在运行的Kubernetes集群,
kubescape scan framework nsa输出结果示例,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Controls: 22 (Failed: 13, Excluded: 4, Skipped: 2) Failed Resources by Severity: Critical — 0, High — 5, Medium — 30, Low — 3 +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | SEVERITY | CONTROL NAME | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | Critical | Disable anonymous access to Kubelet service | 0 | 0 | 0 | skipped* | | Critical | Enforce Kubelet client TLS authentication | 0 | 0 | 0 | skipped* | | High | Resource limits | 3 | 6 | 9 | 29% | | High | Applications credentials in configuration files | 0 | 1 | 26 | 0% | | High | HostNetwork access | 1 | 5 | 9 | 10% | | High | Insecure capabilities | 1 | 0 | 9 | 10% | | High | Privileged container | 0 | 1 | 9 | 0% | | Medium | Exec into container | 0 | 1 | 71 | 0% | | Medium | Non-root containers | 3 | 6 | 9 | 29% | | Medium | Allow privilege escalation | 3 | 5 | 9 | 29% | | Medium | Ingress and Egress blocked | 3 | 6 | 9 | 29% | | Medium | Automatic mapping of service account | 11 | 44 | 55 | 20% | | Medium | Cluster-admin binding | 0 | 1 | 71 | 0% | | Medium | Cluster internal networking | 5 | 4 | 9 | 56% | | Medium | Linux hardening | 3 | 1 | 9 | 29% | | Medium | Secret/ETCD encryption enabled | 1 | 0 | 1 | 100% | | Medium | Audit logs enabled | 1 | 0 | 1 | 100% | | Low | Immutable container filesystem | 2 | 5 | 9 | 20% | | Low | PSP enabled | 1 | 0 | 1 | 100% | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | | RESOURCE SUMMARY | 17 | 49 | 152 | 9.97% | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ FRAMEWORK NSA -
使用MITRE ATT&CK®框架扫描一个正在运行的Kubernetes集群,
kubescape scan framework mitre输出结果示例,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Controls: 20 (Failed: 9, Excluded: 6, Skipped: 2) Failed Resources by Severity: Critical — 0, High — 4, Medium — 11, Low — 1 +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | SEVERITY | CONTROL NAME | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | Critical | Disable anonymous access to Kubelet service | 0 | 0 | 0 | skipped* | | Critical | Enforce Kubelet client TLS authentication | 0 | 0 | 0 | skipped* | | High | Applications credentials in configuration files | 0 | 1 | 26 | 0% | | High | List Kubernetes secrets | 2 | 10 | 71 | 3% | | High | Writable hostPath mount | 1 | 3 | 9 | 10% | | High | HostPath mount | 1 | 4 | 9 | 10% | | High | Privileged container | 0 | 1 | 9 | 0% | | Medium | Exec into container | 0 | 1 | 71 | 0% | | Medium | Data Destruction | 1 | 17 | 71 | 1% | | Medium | Delete Kubernetes events | 0 | 3 | 71 | 0% | | Medium | Cluster-admin binding | 0 | 1 | 71 | 0% | | Medium | CoreDNS poisoning | 0 | 3 | 71 | 0% | | Medium | Access container service account | 3 | 37 | 40 | 8% | | Medium | Cluster internal networking | 5 | 4 | 9 | 56% | | Medium | Secret/ETCD encryption enabled | 1 | 0 | 1 | 100% | | Medium | Audit logs enabled | 1 | 0 | 1 | 100% | | Low | PSP enabled | 1 | 0 | 1 | 100% | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ | | RESOURCE SUMMARY | 10 | 49 | 108 | 2.67% | +----------+-------------------------------------------------+------------------+--------------------+---------------+--------------+ FRAMEWORK MITRE -
使用控件名称或控件ID,扫描特定的控件,参见控件列表,
kubescape scan control "Privileged container"输出结果示例,
[fatal] control 'Privileged container' not found -
使用另一个kubeconfig文件,
kubescape scan --kubeconfig cluster.conf -
扫描特定的命名空间,
kubescape scan --include-namespaces development,staging,production -
排除某些命名空间,
kubescape scan --exclude-namespaces kube-system,kube-public -
在部署前扫描本地YAML/JSON文件,
kubescape scan *.yaml输出结果示例,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Controls: 35 (Failed: 17, Excluded: 0, Skipped: 0) Failed Resources by Severity: Critical — 0, High — 4, Medium — 9, Low — 4 +----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | SEVERITY | CONTROL NAME | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE | +----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | High | Resources memory limit and request | 1 | 0 | 1 | 100% | | High | Resource limits | 1 | 0 | 1 | 100% | | High | Resources CPU limit and request | 1 | 0 | 1 | 100% | | High | CIS-5.7.3 Apply Security Context to Your Pods and Containers | 1 | 0 | 1 | 100% | | Medium | Non-root containers | 1 | 0 | 1 | 100% | | Medium | Allow privilege escalation | 1 | 0 | 1 | 100% | | Medium | Ingress and Egress blocked | 1 | 0 | 1 | 100% | | Medium | Linux hardening | 1 | 0 | 1 | 100% | | Medium | Configured liveness probe | 1 | 0 | 1 | 100% | | Medium | Images from allowed registry | 1 | 0 | 1 | 100% | | Medium | CVE-2022-0492-cgroups-container-escape | 1 | 0 | 1 | 100% | | Medium | CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | 1 | 0 | 1 | 100% | | Medium | CIS-5.7.4 The default namespace should not be used | 1 | 0 | 1 | 100% | | Low | Immutable container filesystem | 1 | 0 | 1 | 100% | | Low | Configured readiness probe | 1 | 0 | 1 | 100% | | Low | Pods in default namespace | 1 | 0 | 1 | 100% | | Low | K8s common labels usage | 1 | 0 | 1 | 100% | +----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ | | RESOURCE SUMMARY | 1 | 0 | 1 | 46.45% | +----------+--------------------------------------------------------------------------------------------+------------------+--------------------+---------------+--------------+ FRAMEWORKS: ArmoBest (risk: 42.72), cis-v1.23-t1.0.1 (risk: 64.00), DevOpsBest (risk: 68.29), AllControls (risk: 43.67), MITRE (risk: 0.00), NSA (risk: 40.51) -
从Git仓库扫描Kubernetes清单文件,
kubescape scan https://github.com/kubescape/kubescape -
扫描时指定例外的文件,
kubescape scan --exceptions examples/exceptions/exclude-kube-namespaces.json例外的对象将被显示为
exclude而不是fail。 -
扫描 Helm charts
kubescape scan </path/to/directory>注意
Kubescape将加载默认的VALUES文件 -
扫描一个Kustomize目录
kubescape scan </path/to/directory>注意
Kubescape将使用kustomize文件生成Kubernetes YAML对象,并对其进行安全扫描。
输出格式
-
JSON
kubescape scan --format json --format-version v2 --output results.json注意
添加`–format-version v2’标志以获得最大的兼容性。 -
junit XML
kubescape scan --format junit --output results.xml -
PDF
kubescape scan --format pdf --output results.pdf -
Prometheus metrics:
kubescape scan --format prometheus -
HTML
kubescape scan --format html --output results.html -
显示所有扫描过的资源(包括通过的资源)
kubescape scan --verbose
镜像漏洞扫描
应用程序漏洞是Kubernetes安全态势的一个重要组成部分。Kubescape提供了检查Kubernetes清单和镜像漏洞之间关系的控件。
启用该功能后,Kubescape会将镜像漏洞信息与Kubernetes清单文件中的内容相结合,以获得准确的结果。
该功能通过使用API令牌运行Kubescape来启用。
生成一个API令牌
- 导航到Kubescape云平台
- 点击配置文件(右上角图标)=> 用户管理 => API令牌,并生成一个令牌。
- 复制clientID和secretKey,并在运行Kubescape cli 或安装Kubescape helm chart时添加到扫描命令。
在Kubescape CLI中添加API令牌
kubescape scan --submit --account=<account ID> --client-id=<generated client id> --secret-key=<generated secret key>
在Helm CLI中添加API令牌
helm upgrade --install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set account=<account ID> --set clientID=<generated client id> --set secretKey=<generated secret key>
请访问Kubescape的Github仓库获得其他更多信息。
完结!
类似资料: