Kubestriker: A security auditing tool for Kubernetes clusters
Kubestriker is an open-source, platform-agnostic tool for identifying security misconfigurations in Kubernetes clusters.
It performs a variety of checks on a range of services and open ports on the Kubernetes platform, helps safeguard against potential attacks on Kubernetes clusters by continuously scanning, monitoring and alerting of any anomalies, allows users to see components of the Kubernetes infrastructure, and visualizes attack paths (how hackers can advance their attacks by chaining misconfigured components in the Kubernetes cluster).
“Kubernetes has become a popular open-source platform for containerized workflows and a key building block for modern technology infrastructure. According to Gartner, by 2025 more than 85% of global organizations will be running containerized applications in production. This widespread popularity and lack of solid security measures in place have made Kubernetes the perfect target for attackers,” Kubestriker’s creator Vasant Chinnipilli, a security architect and DevSecOps practitioner, told Help Net Security.
“Creating and maintaining a secure Kubernetes native infrastructure is not easy, as it involves addressing the security challenges associated with numerous moving pieces in the cluster and mitigating the risk of any potential attacks. As a result, Kubestriker was born to manage and overcome these issues in the most efficient and user-friendly way.”
He released the first version of the tool in December 2020 and has made strong progress to date.
- Scans self-managed and cloud provider-managed (Amazon EKS, Azure AKS, Google GKE) Kubernetes infrastructure
- Completes reconnaissance phase checks for various services and/or open ports
- Performs automated enumeration to discover misconfigured services
- Can conduct both authenticated scans and unauthenticated scans
- Scans for a wide range of IAM misconfigurations in the cluster
- Detects a broad range of misconfigured containers, pod security policies, network policies
- Assesses the excessive privileges of subjects in the cluster
- Runs commands on the containers and streams back the output
“In addition, Kubestriker also has capability for CI/CD integration with DevOps pipeline tools such as Jenkins, Azure pipelines and Bamboo. This allows for continuous scanning of the infrastructure to identify any misconfigurations prior to deployment into sandbox/production environments,” he added.
“The tool also allows DevOps professionals to understand the root cause of any breaches, so they don’t have to reach out to the security team for guidance, and automatically generates a report with detailed findings that can also be used by auditors and architects to ensure DevOps are complying with compliance standards and aligning with the business strategy.”
Limitations and upcoming features
He continues to add new functionalities and has bigger plans for the tool. He is currently working on:
- Extending the scanning capabilities to include scanning of container registry for vulnerabilities in images stored on AWS ECR, Azure Container Registry, Google Container Registry, Docker Hub, Docker Self-Hosted Private Registry, Quay, Harbor, Gitlab and JFrog registries
- Incorporating ready-to-use integration with notification channels and ticketing tools such as Slack, PagerDuty, HTTP endpoint, Jira, Splunk, ELK, Sumo Logic and Amazon S3
- Strengthening monitoring functionality by adding scanning of container images as part of existing CI/CD pipelines like CircleCI, Jenkins, BuildKite, Azure Pipelines and GitLab
- The inclusion of continuous scanning, monitoring, and alerting of security anomalies that occur inside the cluster
The security of Kubestriker’s application code is yet to be reviewed, so he strongly advises users to control access to it and ensure it is not available for access on the public domain within the organization. But, he promises, this shortcoming will be addressed soon.
“Since its release, Kubestriker has been accessed more than 10000 times and I have received feedback from many industry professionals worldwide. I am grateful to our cybersecurity community for the continuous support and guidance, particularly those who have shared their feedback and suggestions for improvement,” he added.
“Innovation needs collaboration so while the Kubestriker community of adopters and contributors are growing steadily, I hope to continue the expansion of its use by collaborating with more users and getting more contributors on board.”
For those interested in seeing it in action, Vasant Chinnipilli will present and demo Kubestriker at Black Hat Asia 2021 Arsenal on May 6.