반응형
Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
Tags
- CI/CD
- kubernetes operator
- mlops
- Continuous Deployment
- CANARY
- opensearch
- argocd
- blue/green
- Model Serving
- tekton
- Kubeflow
- Argo
- gitops
- keda
- Kopf
- knative
- seldon core
- Pulumi
- xdp
- MLflow
- 카오스 엔지니어링
- eBPF
- Litmus
- nginx ingress
- 오퍼레이터
- Kubernetes
- Kubernetes 인증
- operator
- serving
- opentelemetry
Archives
- Today
- Total
Kubernetes 이야기
Kubescape 본문
반응형
Kubescape는 위험 분석, 보안 규정 준수, RBAC 시각화 도우미 및 이미지 취약성 스캔을 포함하여 다중 클라우드 K8의 단일 창을 제공하는 K8의 오픈 소스 도구이다.
Kubescape는 K8s 클러스터, YAML 파일 및 HELM 차트를 스캔하여 여러 프레임워크(예: NSA-CISA , MITRE ATT&CK®), CI/CD 파이프라인 초기 단계의 소프트웨어 취약성 및 RBAC(역할 기반 액세스 제어) 위반은 위험 점수를 즉시 계산하고 시간 경과에 따른 위험 추세를 보여준다.
Kubescape는 Jenkins, CircleCI, Github 워크플로, Prometheus 및 Slack을 비롯한 다른 DevOps 도구와 기본적으로 통합되며 EKS, GKE 및 AKS와 같은 다중 클라우드 K8 배포를 지원한다.
설치
# curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Installing Kubescape...
######################################################################## 100.0%
Finished Installation.
Your current version is: v2.0.166
Usage: $ kubescape scan --submit --enable-host-scan --verbose
스캔
# kubescape scan --exclude-namespaces kube-system,kube-public --verbose
[info] ARMO security scanner starting
[warning] Kubernetes cluster nodes scanning is disabled. This is required to collect valuable data for certain controls. You can enable it using the --enable-host-scan flag
[info] Downloading/Loading policy definitions
[success] Downloaded/Loaded policy
[info] Accessing Kubernetes objects
◐[warning] failed to collect image vulnerabilities. error: credentials are not configured for any registry adaptor
[success] Accessed to Kubernetes objects
[info] Scanning. Cluster: kubernetes-admin@kubernetes
[success] Done scanning. Cluster: kubernetes-admin@kubernetes
################################################################################
ApiVersion:
Kind: ServiceAccount
Name: event-tracker-sa
Namespace: litmus
Controls: 10 (Failed: 2, Excluded: 0)
+----------+--------------------------------+------------------------------------+-----------------------------------------+
| SEVERITY | CONTROL NAME | DOCS | ASSISTANT REMEDIATION |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
| High | List Kubernetes secrets | https://hub.armosec.io/docs/c-0015 | relatedObjects[1].rules[2].resources[5] |
| | | | relatedObjects[1].rules[2].verbs[0] |
| | | | relatedObjects[1].rules[2].verbs[1] |
| | | | relatedObjects[1].rules[2].verbs[2] |
| | | | relatedObjects[1].rules[2].apiGroups[0] |
| | | | relatedObjects[0].subjects[0] |
| | | | relatedObjects[0].roleRef.name |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
| Medium | Access container service | https://hub.armosec.io/docs/c-0053 | |
| | account | | |
+----------+--------------------------------+------------------------------------+-----------------------------------------+
...
최종 결과
Controls: 54 (Failed: 39, Excluded: 0, Skipped: 5)
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| SEVERITY | CONTROL NAME | FAILED RESOURCES | EXCLUDED RESOURCES | ALL RESOURCES | % RISK-SCORE |
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| Critical | Data Destruction | 35 | 0 | 93 | 38% |
| Critical | Disable anonymous access to Kubelet service | 0 | 0 | 0 | skipped* |
| Critical | Enforce Kubelet client TLS authentication | 0 | 0 | 0 | skipped* |
| Critical | Malicious admission controller (mutating) | 1 | 0 | 1 | 100% |
| High | Applications credentials in configuration files | 7 | 0 | 64 | 11% |
| High | CVE-2022-23648-containerd-fs-escape | 0 | 0 | 3 | 0% |
| High | Cluster-admin binding | 2 | 0 | 93 | 2%
...
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
| | RESOURCE SUMMARY | 143 | 0 | 263 | 23.40% |
+----------+-----------------------------------------------------------------------+------------------+--------------------+---------------+--------------+
FRAMEWORKS: MITRE (risk: 17.94), AllControls (risk: 23.40), ArmoBest (risk: 22.27), DevOpsBest (risk: 24.63), NSA (risk: 24.75)
* enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor
** failed to pull image scanning data: credentials are not configured for any registry adaptor. for more information: https://hub.armosec.io/docs/configuration-of-image-vulnerabilities
반응형
'Kubernetes > 보안' 카테고리의 다른 글
Kubernetes scan 도구 - popeye (0) | 2022.05.15 |
---|---|
Network Policy (0) | 2022.05.08 |
Falco로 Kubernetes 위협 탐지 모니터링 (3) | 2022.04.28 |
Kubernetes 에서 Vault 활용 (0) | 2022.03.14 |
Kubernetes에서 Secret 암호화 (0) | 2022.03.13 |
Comments