octarinesec / kube-scan Goto Github PK

View Code? Open in Web Editor NEW

793.0 30.0 102.0 1.22 MB

kube-scan: Octarine k8s cluster risk assessment tool

Home Page: https://www.octarinesec.com/

License: MIT License

Dockerfile 0.32% Shell 0.15% JavaScript 18.74% CSS 19.50% TypeScript 9.93% Go 51.35%

k8s security-tools security-scanner security-audit security devops devsecops kubernetes cloud-native security-scanners

kube-scan's Introduction

Kube-Scan

Try our free Kubernetes risk assessment tool today.
Run it on any cluster at any time. No data leaves your cluster. We do not collect any information.
For more information on Octarine see https://www.octarinesec.com.

Get the risk score of your workloads

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System.

KCCSS is similar to the Common Vulnerability Scoring System (CVSS), the industry-standard for rating vulnerabilities, but instead focuses on the configurations and security settings themselves. Vulnerabilities are always detrimental, but configuration settings can be insecure, neutral, or critical for protection or remediation. KCCSS scores both risks and remediations as separate rules, and allows users to calculate a risk for every runtime setting of a workload and then to calculate the total risk of the workload.

Please notice that kube-scan currently scans the cluster when starting and will re-scan it every 24 hours. Thus, if you want to get an up-to-date risk score (e.g. after installing a new app), you should restart the kube-scan pod.

Quickstart

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml
kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80

Then set your browser to http://localhost:8080.

Using a load-balancer service

This method assumes you are using a cloud provider that provides load balancers.

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan-lb.yaml

Then get the load-balancer address by

kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..ip}

kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..hostname}

depending on the load-balancer type.

Then set your browser to that address.

Using the API

If you applied kube-scan to your cluster with the load balancer service:

"HOST" refers to the external ip of the service.

If you used port-forward:

"HOST" refers to "localhost:8080"

Getting all of the risks in your cluster:

GET http://HOST/api/risks

Requesting the kube-scan service to calculate again the risks (in case a resource was changed):

POST http://HOST/api/refresh

This might be a long operation - depending on the cluster size, so you can pull the refresh operation status:

GET http://HOST/api/refreshing_status

Building from source code

Build the server image (from root folder)

cd server
docker build -t SERVER_TAG_NAME .
docker push SERVER_TAG_NAME

Build the client image (from root folder)

cd client
docker build -t CLIENT_TAG_NAME .
docker push CLIENT_TAG_NAME

Set kube-scan containers images on the desired yaml (from root folder) kube-scan container with SERVER_TAG_NAME kube-scan-ui container with CLIENT_TAG_NAME

Apply the desired yaml and use "quick start" or "using load-balancer" instructions

Uninstall

kubectl delete -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml

In case of using a load-balancer:

kubectl delete -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan-lb.yaml

Screenshots

kube-scan's People

Contributors

Stargazers

Watchers

Forkers

meori skizap dmitri-lerko ellerbrock unsecureio fr34k8 thymoscloudengineering gophersumit etsangsplk tuapuikia mydockergit forklifters saikrishna9912 wafflesvonmaple rwebster22 larrytimmins vinayasathyanarayana wvides prnvkv franktommasi haoqing0110 rogras she1d0n glnsagar korkin25 muharihar benrub mitom michellesmcmanus vvalorous nbulusanjr appsecco linus5 rajkrishnamurthy thangtq710 askraja pauliemac pagosasia mreetyunjaya diceone safe2011 moulik-deepsource slapula devopstoday11 jorson-chen jwlabs hashishrajan ankitjain28may otherdevopsgene robbiejvmw clix-dev-llc edward-02020 syllogy ywsfay zzx4998 n1f2c3 manojsingh-ceh elprofesor123 kingofthebeat dwtcourses designanderror cyberdevsecops hecg119 ins0o0mniac kwansoon muthhus praveendhac jonasbuehrle brahmops franklinharry kubenew rupeshpanwar thenam153 saad1969 chaos-analysis shadibdair beike2020 moinuddin-rgb rohitsquareops mtbvang sttor 20ashisharma biju-vinoth gg-big-org landmark-group9 callumeveratt shabnam79 miguelampudia craigbox robi1021 saad0111 marutva2pt emmaok td8code purplehua

kube-scan's Issues

Back-off restarting failed container kube-scan in pod!!!

One image is in running state and second one is throwing an error. Can anyone has a solution?

Blacklist / Whitelist namespaces

As not everybody has the permission to scan all namespaces, a list to either blacklist e.g. system namespaces or just whitelist special namespaces would be realy helpfull .

octarine UI not accessible on different path when using ingress rewrite path

Hi Team

I tried setting up nginx ingress and expose the octarine UI on different path. However the UI is not loading properly.
I am doing something wrong ?
It works fine if i don't specify path.

my ingress definition :

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: octarine-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: localhost
http:
paths:
- path: /octarine
backend:
serviceName: kube-scan-ui
servicePort: 80

Unable to Pull image

The pod keeps crashing saying ImagePullBackOff. On describing, it says the image might be on a private docker registry or unavailable. Additionally, the kube scan images are not available on the docker registry. How can one go about this?

API/CLI available?

Hi!

I was wondering if there is an API or CLI available? This would make this tool truly awesome (it is already very cool) because then we could use it in our CD pipelines, i.e. (with kube-scan stuff marked with **** ):

->build my stack
->deploy my stack into k8s
->**** trigger kube-scan via api somehow, with a 'query', i.e. ?k8namespace='build_579'&workload='myNewWorkload'
->**** collect kube-scan results, and fail or pass depending on...?

->mark build as red or green,

Many thanks!

Paul

Add helm chart

There is no helm chart/helm directory created for this project. I suggest the creation on a helm directory that will easily enable users to install this project through helm commands.

I have taken the liberty of converting this to a helm chart already and testing it out on our development cluster. It works well. I'm more than willing to share this.

In addition, I've added some customizations and added an ingress, to further control access to the ui. No need to port forward. :)

Failed to pull image

│ Type Reason Age From Message │
│ ---- ------ ---- ---- ------- │
│ Normal Scheduled 12s default-scheduler Successfully assigned kube-scan/kube-scan-7b48858f5c-r8qh2 to minikube-m03 │
│ Normal Pulling 12s kubelet Pulling image "octarinesec/kubescan-scanner-ui:20.5" │
│ Warning Failed 9s kubelet "octarinesec/kubescan-scanner-ui:20.5": rpc error: code = Unknown desc = Error response from daemon: pull access denied for octarinesec/kubescan-scanner-ui, repositor │
│ y does not exist or may require 'docker login': denied: requested access to the resource is denied │
│ Warning Failed 9s kubelet Error: ErrImagePull │
│ Normal Pulling 9s kubelet Pulling image "octarinesec/kubescan-scanner:20.5" │
│ Warning Failed 6s kubelet Failed to pull image "octarinesec/kubescan-scanner:20.5": rpc error: code = Unknown desc = Error response from daemon: pull access denied for octarinesec/kubescan-scanner, repository does │
│ not exist or may require 'docker login': denied: requested access to the resource is denied │
│ Warning Failed 6s kubelet Error: ErrImagePull │
│ Normal BackOff 5s kubelet Back-off pulling image "octarinesec/kubescan-scanner-ui:20.5" │
│ Warning Failed 5s kubelet Error: ImagePullBackOff │
│ Normal BackOff 5s kubelet Back-off pulling image "octarinesec/kubescan-scanner:20.5" │
│ Warning Failed 5s kubelet Error: ImagePullBackOff │
│ │
└───────────────────────────────────────────────────────────────────────────────────────────

[Bug/Help Wanted] Kube-Scan not working in Minikube.

I have deployed Minikube in my Ubuntu 20.04. I tried installing Kube-scan UI via :

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml
kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80

When I navigate to http://localhost:8080 I get a 404 error request.

I did try forwarding it to post 8008 and got the same 404 error.

Kubescan show wrong risks in mulit-container Pods

Hi,
We have a set of microservices deployed, and in each microservice pod we inject a linkerd proxy container alongside the application container for service mesh reasons.

Somehow, for all pods that has the injected linkerd container, kubescan shows wrong risks results.
When uninjecting manually the linkerd container from the pod, kubescan then show the correct risks.

ARM64 Builds ?

Any project to provide ARM64 builds eventually?

Client build failed on ARM64

Hi,

It seems that the client can't be successfully built on arm64

Sending build context to Docker daemon  1.214MB
Step 1/16 : FROM node:12.16.2-alpine AS build
 ---> 88c5c4733931
Step 2/16 : WORKDIR /app
 ---> Using cache
 ---> bd689303d0cf
Step 3/16 : COPY package.json .
 ---> Using cache
 ---> df87d9a247b5
Step 4/16 : COPY yarn.lock .
 ---> Using cache
 ---> d46ec77a6f33
Step 5/16 : RUN yarn
 ---> Running in 0114717313b1
yarn install v1.22.4
[1/4] Resolving packages...
warning Resolution field "[email protected]" is incompatible with requested version "acorn@^5.5.3"
[2/4] Fetching packages...
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
warning " > @octarine/[email protected]" has incorrect peer dependency "[email protected]".
warning " > @octarine/[email protected]" has incorrect peer dependency "[email protected]".
warning " > [email protected]" has unmet peer dependency "webpack@^4.0.0".
warning " > [email protected]" has unmet peer dependency "history@^2.0.0 || ^3.0.0".
warning " > [email protected]" has incorrect peer dependency "react@^0.14.0 || ^15.0.0".
warning " > [email protected]" has incorrect peer dependency "react-dom@^0.14.0 || ^15.0.0".
warning "razzle-plugin-scss > [email protected]" has unmet peer dependency "webpack@^3.0.0 || ^4.0.0".
[4/4] Building fresh packages...
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error /app/node_modules/node-sass: Command failed.
Exit code: 1
Command: node scripts/build.js
Arguments: 
Directory: /app/node_modules/node-sass
Output:
Building: /usr/local/bin/node /app/node_modules/node-gyp/bin/node-gyp.js rebuild --verbose --libsass_ext= --libsass_cflags= --libsass_ldflags= --libsass_library=
gyp info it worked if it ends with ok
gyp verb cli [
gyp verb cli   '/usr/local/bin/node',
gyp verb cli   '/app/node_modules/node-gyp/bin/node-gyp.js',
gyp verb cli   'rebuild',
gyp verb cli   '--verbose',
gyp verb cli   '--libsass_ext=',
gyp verb cli   '--libsass_cflags=',
gyp verb cli   '--libsass_ldflags=',
gyp verb cli   '--libsass_library='
gyp verb cli ]
gyp info using [email protected]
gyp info using [email protected] | linux | arm64
gyp verb command rebuild []
gyp verb command clean []
gyp verb clean removing "build" directory
gyp verb command configure []
gyp verb check python checking for Python executable "python2" in the PATH
gyp verb `which` failed Error: not found: python2
gyp verb `which` failed     at getNotFoundError (/app/node_modules/which/which.js:13:12)
gyp verb `which` failed     at F (/app/node_modules/which/which.js:68:19)
gyp verb `which` failed     at E (/app/node_modules/which/which.js:80:29)
gyp verb `which` failed     at /app/node_modules/which/which.js:89:16
gyp verb `which` failed     at /app/node_modules/isexe/index.js:42:5
gyp verb `which` failed     at /app/node_modules/isexe/mode.js:8:5
gyp verb `which` failed     at FSReqCallback.oncomplete (fs.js:167:21)
gyp verb `which` failed  python2 Error: not found: python2
gyp verb `which` failed     at getNotFoundError (/app/node_modules/which/which.js:13:12)
gyp verb `which` failed     at F (/app/node_modules/which/which.js:68:19)
gyp verb `which` failed     at E (/app/node_modules/which/which.js:80:29)
gyp verb `which` failed     at /app/node_modules/which/which.js:89:16
gyp verb `which` failed     at /app/node_modules/isexe/index.js:42:5
gyp verb `which` failed     at /app/node_modules/isexe/mode.js:8:5
gyp verb `which` failed     at FSReqCallback.oncomplete (fs.js:167:21) {
gyp verb `which` failed   stack: 'Error: not found: python2\n' +
gyp verb `which` failed     '    at getNotFoundError (/app/node_modules/which/which.js:13:12)\n' +
gyp verb `which` failed     '    at F (/app/node_modules/which/which.js:68:19)\n' +
gyp verb `which` failed     '    at E (/app/node_modules/which/which.js:80:29)\n' +
gyp verb `which` failed     '    at /app/node_modules/which/which.js:89:16\n' +
gyp verb `which` failed     '    at /app/node_modules/isexe/index.js:42:5\n' +
gyp verb `which` failed     '    at /app/node_modules/isexe/mode.js:8:5\n' +
gyp verb `which` failed     '    at FSReqCallback.oncomplete (fs.js:167:21)',
gyp verb `which` failed   code: 'ENOENT'
gyp verb `which` failed }
gyp verb check python checking for Python executable "python" in the PATH
gyp verb `which` failed Error: not found: python
gyp verb `which` failed     at getNotFoundError (/app/node_modules/which/which.js:13:12)
gyp verb `which` failed     at F (/app/node_modules/which/which.js:68:19)
gyp verb `which` failed     at E (/app/node_modules/which/which.js:80:29)
gyp verb `which` failed     at /app/node_modules/which/which.js:89:16
gyp verb `which` failed     at /app/node_modules/isexe/index.js:42:5
gyp verb `which` failed     at /app/node_modules/isexe/mode.js:8:5
gyp verb `which` failed     at FSReqCallback.oncomplete (fs.js:167:21)
gyp verb `which` failed  python Error: not found: python
gyp verb `which` failed     at getNotFoundError (/app/node_modules/which/which.js:13:12)
gyp verb `which` failed     at F (/app/node_modules/which/which.js:68:19)
gyp verb `which` failed     at E (/app/node_modules/which/which.js:80:29)
gyp verb `which` failed     at /app/node_modules/which/which.js:89:16
gyp verb `which` failed     at /app/node_modules/isexe/index.js:42:5
gyp verb `which` failed     at /app/node_modules/isexe/mode.js:8:5
gyp verb `which` failed     at FSReqCallback.oncomplete (fs.js:167:21) {
gyp verb `which` failed   stack: 'Error: not found: python\n' +
gyp verb `which` failed     '    at getNotFoundError (/app/node_modules/which/which.js:13:12)\n' +
gyp verb `which` failed     '    at F (/app/node_modules/which/which.js:68:19)\n' +
gyp verb `which` failed     '    at E (/app/node_modules/which/which.js:80:29)\n' +
gyp verb `which` failed     '    at /app/node_modules/which/which.js:89:16\n' +
gyp verb `which` failed     '    at /app/node_modules/isexe/index.js:42:5\n' +
gyp verb `which` failed     '    at /app/node_modules/isexe/mode.js:8:5\n' +
gyp verb `which` failed     '    at FSReqCallback.oncomplete (fs.js:167:21)',
gyp verb `which` failed   code: 'ENOENT'
gyp verb `which` failed }
gyp ERR! configure error 
gyp ERR! stack Error: Can't find Python executable "python", you can set the PYTHON env variable.
gyp ERR! stack     at PythonFinder.failNoPython (/app/node_modules/node-gyp/lib/configure.js:484:19)
gyp ERR! stack     at PythonFinder.<anonymous> (/app/node_modules/node-gyp/lib/configure.js:406:16)
gyp ERR! stack     at F (/app/node_modules/which/which.js:68:16)
gyp ERR! stack     at E (/app/node_modules/which/which.js:80:29)
gyp ERR! stack     at /app/node_modules/which/which.js:89:16
gyp ERR! stack     at /app/node_modules/isexe/index.js:42:5
gyp ERR! stack     at /app/node_modules/isexe/mode.js:8:5
gyp ERR! stack     at FSReqCallback.oncomplete (fs.js:167:21)
gyp ERR! System Linux 5.3.0-1032-aws
gyp ERR! command "/usr/local/bin/node" "/app/node_modules/node-gyp/bin/node-gyp.js" "rebuild" "--verbose" "--libsass_ext=" "--libsass_cflags=" "--libsass_ldflags=" "--libsass_library="
gyp ERR! cwd /app/node_modules/node-sass
gyp ERR! node -v v12.16.2
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok 
Build failed with error code: 1
The command '/bin/sh -c yarn' returned a non-zero code: 1

Any advice?

API to scan workload configurations before they are deployed

It is my understanding that kube-scan can only scan workloads that are already running in the cluster it is deployed in.

If kube-scan was able to scan workload configurations that are uploaded to it as YAML or JSON, it would open up a new set of possible use cases around preventing vulnerable workloads from ever reaching a cluster.

For example, an admission controller could use kube-scan to look for issues with incoming workloads and reject the workload if there is an issue with a score greater than a configurable threshold.

Another case would be a CI pipeline - the CI pipeline could send manifests to kube-scan before they are deployed and fail the deployment before it even reaches the cluster if there is an issue with a score greater than a certain threshold.

Similarly, a kubectl and/or Helm plugin could send manifests to kube-scan for checking before applying them, aborting the deployment if there is an issue with a score greater than a certain threshold.

I appreciate that there are some issues that could not be detected via this mechanism, where the wider cluster configuration/other resources are used to make a decision about a workload. However I think there are enough issues where detection is just based on the pod spec that this would still be useful.

Add license file

Not sure what the license is on this, validator, or the rules associated with kccss. Would be nice to have some clarity here (hopefully MIT!).

Workload is exposed through an ingress policy (medium risk)

Is there a way to tell kube-scan that this is intentional?
Also, what is the suggested fix here if you want your service to be accessible from the internet?

PodSecurityPolicy injected defaults are not considered for zero-replica workloads

In addition to restricting the privileges pods can request, PodSecurityPolicies can inject default settings into pods as they're created. For example, a PodSecurityPolicy with runAsUser: {rule 'MustRunAsNonRoot'} will actually add runAsNonRoot: true to a Pod's spec at admission time if nothing limiting the user is already present.

In our cluster, most of our deployments are authorized by a shared PodSecurityPolicy with very restrictive defaults. It enables seccomp, drops capabilities, prohibits running as root, disables privilege escalation, disables most volume types, and so on. When we ran kube-scan on a test cluster, we were surprised to see that many of our deployments had triggered rules that should have been prevented by this PodSecurityPolicy.

For our Deployments with zero replicas, we get false positives for these rules:

AllowPrivilegeEscalation
runningAsRoot
CapNetRaw

We also don't see the seccomp mitigation, even though this is added by our PodSecurityPolicy.

To correctly evaluate these rules with no replicas, it's necessary to enumerate the PodSecurityPolicies that the relevant ServiceAccount has access to, and check whether any of those permit the offending behavior.

This is possibly a separate bug, but even for our deployments with non-zero replicas, we get false positives on the runningAsRoot rule. For every pod in the Deployment, I manually confirmed that every container and initContainer has securityContext: {runAsNonRoot: true} (as enforced by the PodSecurityPolicy), but the rule still fires. Other injected defaults like AllowPrivilegeEscalation and seccomp seem to be correctly detected in this case.

Let me know if you need any more information!