Day 1: Kubernetes Security -Kubesec

Reference: https://kubesec.io/

Kubesec is an open-source Kubernetes security scanner and analysis tool. The way it works, it accepts a single Kubernetes manifests file and provides a severity score for each found vulnerability.

There is a common phrase in the DevSecOps world-shifting security to the left, which means catching any security at the earlier stage of the development cycle. So if we want to catch security-related issues or enforce standards before it’s deployed to the cluster or even before the user runs the kubectl command right after you developed your Kubernetes yaml files. This can be done with the help of Kubesec, which is a static analysis tool. Using Kubesec, you can review the resource yaml file and enforce the policies by checking against the certain rule during the earlier stage of the development cycle.

Kubesec analyzes your resource yaml file and returns the score(higher score is better)and details about the critical issue found in it.

Installation

  • Kubesec can be installed as a binary package, container image, Admission controller or even as a kubectl plugin.

To download kubesec for other platforms, follow these links https://github.com/controlplaneio/kubesec#download-kubesec

Using Kubesec

  • If you pass the below pod.yaml to the kubesec
  • As you can see in the output, Kubesec assigned the score of minus 30 with the reason “Privileged containers can allow almost completely unrestricted host access”.
  • Now fix the yaml file by removing the security context block or set privileged: false
  • Run the kubesec scan again. As you can see this time score is 0 and the message of passed.

The other ways to run kubesec is :

Docker Container

HTTP Server

  • Then you can use curl to post the request

Conclusion

As you can see, kubesec is an easy to use powerful tool to catch security-related issues or enforce standards before it’s deployed to the cluster.

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP