Kubescape

Kubescape는 위험 분석, 보안 규정 준수, RBAC 시각화 도우미 및 이미지 취약성 스캔을 포함하여 다중 클라우드 K8의 단일 창을 제공하는 K8의 오픈 소스 도구이다.

 

Kubescape는 K8s 클러스터, YAML 파일 및 HELM 차트를 스캔하여 여러 프레임워크(예: NSA-CISA , MITRE ATT&CK®), CI/CD 파이프라인 초기 단계의 소프트웨어 취약성 및 RBAC(역할 기반 액세스 제어) 위반은 위험 점수를 즉시 계산하고 시간 경과에 따른 위험 추세를 보여준다.

 

Kubescape는 Jenkins, CircleCI, Github 워크플로, Prometheus 및 Slack을 비롯한 다른 DevOps 도구와 기본적으로 통합되며 EKS, GKE 및 AKS와 같은 다중 클라우드 K8 배포를 지원한다.

 

설치

 

# curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Installing Kubescape...

######################################################################## 100.0%

Finished Installation.

Your current version is: v2.0.166

Usage: $ kubescape scan --submit --enable-host-scan --verbose

 

스캔

 

# kubescape scan --exclude-namespaces kube-system,kube-public --verbose
[info] ARMO security scanner starting
[warning] Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using  the --enable-host-scan flag
[info] Downloading/Loading policy definitions
[success] Downloaded/Loaded policy
[info] Accessing Kubernetes objects
◐[warning] failed to collect image vulnerabilities. error: credentials are not configured for any registry adaptor
[success] Accessed to Kubernetes objects
[info] Scanning. Cluster: kubernetes-admin@kubernetes
[success] Done scanning. Cluster: kubernetes-admin@kubernetes

################################################################################
ApiVersion:
Kind: ServiceAccount
Name: event-tracker-sa
Namespace: litmus

Controls: 10 (Failed: 2, Excluded: 0)

+----------+--------------------------------+------------------------------------+-----------------------------------------+
| SEVERITY |          CONTROL NAME          |                DOCS                |          ASSISTANT REMEDIATION          |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
| High     | List Kubernetes secrets        | https://hub.armosec.io/docs/c-0015 | relatedObjects[1].rules[2].resources[5] |
|          |                                |                                    | relatedObjects[1].rules[2].verbs[0]     |
|          |                                |                                    | relatedObjects[1].rules[2].verbs[1]     |
|          |                                |                                    | relatedObjects[1].rules[2].verbs[2]     |
|          |                                |                                    | relatedObjects[1].rules[2].apiGroups[0] |
|          |                                |                                    | relatedObjects[0].subjects[0]           |
|          |                                |                                    | relatedObjects[0].roleRef.name          |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
| Medium   | Access container service       | https://hub.armosec.io/docs/c-0053 |                                         |
|          | account                        |                                    |                                         |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
...

최종 결과

Controls: 54 (Failed: 39, Excluded: 0, Skipped: 5)

+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| SEVERITY |                             CONTROL NAME                              | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE |
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| Critical | Data Destruction                                                      |        35        |         0          |      93       |     38%      |
| Critical | Disable anonymous access to Kubelet service                           |        0         |         0          |       0       |   skipped*   |
| Critical | Enforce Kubelet client TLS authentication                             |        0         |         0          |       0       |   skipped*   |
| Critical | Malicious admission controller (mutating)                             |        1         |         0          |       1       |     100%     |
| High     | Applications credentials in configuration files                       |        7         |         0          |      64       |     11%      |
| High     | CVE-2022-23648-containerd-fs-escape                                   |        0         |         0          |       3       |      0%      |
| High     | Cluster-admin binding                                                 |        2         |         0          |      93       |      2%    
...

+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
|          |                           RESOURCE SUMMARY                            |       143        |         0          |      263      |    23.40%    |
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
FRAMEWORKS: MITRE (risk: 17.94), AllControls (risk: 23.40), ArmoBest (risk: 22.27), DevOpsBest (risk: 24.63), NSA (risk: 24.75)

* enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor
** failed to pull image scanning data: credentials are not configured for any registry adaptor. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities