Giter Site home page Giter Site logo

hecg119 / kube-beacon Goto Github PK

View Code? Open in Web Editor NEW

This project forked from chen-keinan/kube-beacon

0.0 0.0 0.0 19.42 MB

Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification

License: Apache License 2.0

Go 93.79% Makefile 2.07% Shell 3.71% Dockerfile 0.43%

kube-beacon's Introduction

Go Report Card License Build Status Coverage Status Gitter
kube-beacon logo

Kube-Beacon Project

Scan your kubernetes runtime !!

Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.

The audit tests are the full implementation of CIS Kubernetes Benchmark specification

Audit checks are performed on master and worker nodes and the output audit report include :

  • root cause of the security issue
  • proposed remediation for security issue

kubernetes cluster audit scan output:

k8s audit

Installation

git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make install
  • Note: kube-beacon require root user to be executed

Quick Start

Execute kube-eacon without any flags , execute all tests

 ./kube-beacon

Execute kube-beacon with flags , execute test on demand

Usage: kube-Beacon [--version] [--help] <command> [<args>]

Available commands are:
  -r , --report :  run audit tests and generate failure report
  -i , --include: execute only specific audit test,   example -i=1.2.3,1.4.5
  -e , --exclude, ignore specific audit tests,  example -e=1.2.3,1.4.5
  -n , --node,    execute audit tests on specific node,   example -n=master,-n=worker
  -s , --spec,    execute specific audit tests spec,   example -s=gke, default=k8s
  -v , --version, execute specific audit tests spec version,    example -v=1.1.0,default=1.6.0

Execute tests and generate failure tests report

./kube-beacon -r

Kube-beacon as Docker

Execute kube beacon via docker

docker run --pid=host  -v /etc:/etc:ro -v /var:/var:ro -v /*/cni/*:/*/cni/* -v $HOME/.kube:/root/.kube:ro -v $(which kubectl):/usr/bin/kubectl -t kbeacon.jfrog.io/docker-local/kube-beacon

Kube-beacon as pod in k8s

  • Execute kube beacon as a pod in k8s cluster

  • Add cluster role binding with role=cluster-admin

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

cd jobs
  • simple k8s cluster run following job
kubectl apply -f k8s.yaml
  • gke cluster run the following jon
kubectl apply -f gke.yaml
  • Check k8s pod status
kubectl get pods --all-namespaces

NAMESPACE     NAME                                                        READY   STATUS      RESTARTS   AGE
default       kube-beacon-sc8g9                                           0/1     Completed   0          111s
kube-system   event-exporter-gke-8489df9489-skcvv                         2/2     Running     0          7m24s
kube-system   fluentd-gke-7d5sl                                           2/2     Running     0          7m6s
kube-system   fluentd-gke-f6q5d                                           2/2     Running     0          6m59s
  • Check k8s pod audit output
kubectl logs kube-beacon-sc8g9
  • cleanup (remove role and delete pod)
kubectl delete clusterrolebinding default-admin

kubectl delete -f k8s.yaml

Next steps

  • Add support for Amazon EKS scanning
  • Post scan hooks

kube-beacon's People

Contributors

chen-keinan avatar dkeler avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.