K8s Plugins For Solid Security

Shubham - Oct 25 - - Dev Community

Kubernetes simplifies building and deploying apps via containerization, but securing your pods and containers is a different challenge.

Kubernetes provides basic IP-based security for each pod, but securing your clusters requires more—network policies, access policies for individual pods, RBAC, namespace access policies, and so on.

However, many open-source tools and plugins can help manage these issues.

Let's explore some of the most useful ones:

Image description

1. Kube bench (⭐: 6,977 +)
Kube-bench is a tool that checks Kubernetes clusters for compliance with security best practices, based on the CIS Kubernetes Benchmark. It helps identify vulnerabilities and misconfigs, providing detailed reports for remediation.

  • YAML-based test configuration allows easy updates as specs evolve.

  • kube-bench auto-selects tests for the node's Kubernetes version.

2. Stern (⭐: 3,265 +)
Stern allows you to tail multiple pods and containers in Kubernetes, with color-coded log results for faster debugging.

  • Filters pods with regex or /, no exact pod IDs needed.

  • Tails all pod containers by default, but you can limit with the container flag.

  • Auto-removes deleted pods, and adds new ones as created.

3. Kubescore (⭐: 2,750 +)
Kube-score is a tool that performs static code analysis of your Kubernetes object definitions, checking them against best practices to ensure proper configurations.

  • Evaluates resource definitions like Deployments, Services, and Ingresses for misconfigs.

  • Supports CRD validation, checks labels, resource limits, and other key configs.

  • Provides a score based on best practices and highlights issues.

4. Kubiscan (⭐: 1,313 +)
KubiScan is a tool for scanning Kubernetes clusters for risky permissions in the RBAC authorization model.

  • Identify risky Pods\Containers
  • Identify risky Roles\ClusterRoles
  • Identify risky RoleBindings\ClusterRoleBindings
  • Identify risky Subjects (Users, Groups and ServiceAccounts)
  • Dump tokens from pods (all or by namespace)
  • CVE scan

5. Rakkess (⭐: 1,300 +)
Rakkess is a kubectl plugin designed to show an access matrix for Kubernetes server resources, helping visualize and audit permissions.

  • Shows who can access Kubernetes resources and their actions.
  • Audits RBAC permissions for users, groups, and service accounts in a clear matrix view.
  • Supports CI/CD integration for continuous RBAC audits.

Remember, we are only as strong as the weakest link.

. . . . . . . . . . . . . .