Skip to content

Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification

License

Notifications You must be signed in to change notification settings

chen-keinan/kube-beacon

Repository files navigation

Go Report Card License Build Status Coverage Status Gitter
kube-beacon logo

Kube-Beacon Project

Scan your kubernetes runtime !!

Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.

The audit tests are the full implementation of CIS Kubernetes Benchmark specification

NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)

Audit checks are performed on master and worker nodes and the output audit report include :

  • root cause of the security issue
  • proposed remediation for security issue

kubernetes cluster audit scan output:

k8s audit

Installation

git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
  • Note: kube-beacon require root user to be executed

Quick Start

Execute kube-eacon without any flags , execute all tests

 ./kube-beacon 

Execute kube-beacon with flags , execute test on demand

Usage: kube-Beacon [--version] [--help] <command> [<args>]

Available commands are:
  -r , --report :  run audit tests and generate failure report
  -i , --include: execute only specific audit test,   example -i=1.2.3,1.4.5
  -e , --exclude: ignore specific audit tests,  example -e=1.2.3,1.4.5
  -n , --node:    execute audit tests on specific node,   example -n=master,-n=worker
  -s , --spec:    execute specific audit tests spec,   example -s=gke, default=k8s
  -v , --version:  execute specific audit tests spec version,    example -v=1.1.0,default=1.6.0

Execute tests and generate failure tests report

./kube-beacon -r

Kube-beacon as pod in k8s

  • Execute kube beacon as a pod in k8s cluster

  • Add cluster role binding with role=cluster-admin

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
cd jobs
  • simple k8s cluster run following job
kubectl apply -f k8s.yaml
  • gke cluster run the following job
kubectl apply -f gke.yaml
  • Check k8s pod status
kubectl get pods --all-namespaces

NAMESPACE     NAME                                                        READY   STATUS      RESTARTS   AGE
default       kube-beacon-sc8g9                                           0/1     Completed   0          111s
kube-system   event-exporter-gke-8489df9489-skcvv                         2/2     Running     0          7m24s
kube-system   fluentd-gke-7d5sl                                           2/2     Running     0          7m6s
kube-system   fluentd-gke-f6q5d                                           2/2     Running     0          6m59s
  • Check k8s pod audit output
kubectl logs kube-beacon-sc8g9 
  • cleanup (remove role and delete pod)
kubectl delete clusterrolebinding default-admin
kubectl delete -f k8s.yaml

User Plugin Usage

The Kube-Beacon expose hook for user plugins Example :

  • K8sBenchAuditResultHook - this hook accepts audit benchmark results as found by audit report
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
Copy plugin to folder (.beacon folder is created on the 1st startup)
cp /<plugin folder>/bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so

Note: Plugin and binary must compile with the same linux env

Next steps

  • Add support for Amazon EKS scanning