Kubernetes Security Checklist 2021

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • InfluxDB - Build time-series-based applications quickly and at scale.
  • SonarLint - Clean code begins in your IDE with SonarLint
  • SaaSHub - Software Alternatives and Reviews
  • rbac-tool

    Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

    Role-Based Access Control (RBAC) should be configured for the Kubernetes cluster. Rights need to be assigned within the project namespace based on least privilege and separation of duties (RBAC-tool)

  • KubiScan

    A tool to scan Kubernetes cluster for risky permissions

    RBAC Rights should be audited regularly (KubiScan, Krane)

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.

  • krane

    Kubernetes RBAC static analysis & visualisation tool

    RBAC Rights should be audited regularly (KubiScan, Krane)

  • Kyverno

    Kubernetes Native Policy Management

    Use Policy engine (OPA, Kyverno)

  • sealed-secrets

    A Kubernetes controller and tool for one-way encrypted Secrets

    Secrets should be added to the container using the volumeMount mechanism or the secretKeyRef mechanism. For hiding secrets in source codes, for example, the sealed-secret tool can be used.

  • falco

    Cloud Native Runtime Security

    Use third-party security monitoring tool on all cluster nodes (Falco, Sysdig, Aqua Enterpise, NeuVector, Prisma Cloud Compute)

  • documentation

    Kata Containers version 1.x documentation (for version 2.x see https://github.com/kata-containers/kata-containers). (by kata-containers)

    For services with increased security requirements, it is recommended to use a low-level run-time with a high degree of isolation (gVisior, Kata-runtime)

  • SonarLint

    Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.

  • lynis

    Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

    It is recommended to regularly scan packages and configuration for vulnerabilities(OpenSCAP profiles, Lynis)

  • kube-bench

    Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  • kube-hunter

    Hunt for security weaknesses in Kubernetes clusters

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  • scope

    Monitoring, visualisation & management for Docker & Kubernetes

    Build observability and visibility processes in order to understand what is happening in infrastructure and services (Luntry, WaveScope)

  • cvehound

    Check linux sources dump for known CVEs.

    It is recommended to regularly update the OS kernel version (CVEhound)

  • inspektor-gadget

    Introspecting and debugging Kubernetes applications using eBPF "gadgets"

    All namespaces should have NetworkPolicy. Interactions between namespaces should be limited to NetworkPolicy following least privileges principles (Inspektor Gadget)

  • udica

    This repository contains a tool for generating SELinux security profiles for containers

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • oci-seccomp-bpf-hook

    OCI hook to trace syscalls and generate a seccomp profile

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • go2seccomp

    Generate seccomp profiles from go binaries

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • security-profiles-operator

    The Kubernetes Security Profiles Operator

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • kubeaudit

    kubeaudit helps you audit your Kubernetes clusters against common security controls

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • kubescape

    Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • conftest

    Write tests against structured configuration data using the Open Policy Agent Rego query language

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • kubesec

    Security risk analysis for Kubernetes resources

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • checkov

    Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    It is necessary to explicitly indicate the versions of the installed packages. The SBOM building tools (Syft) can be used to determine the list of packages.

  • hadolint

    Dockerfile linter, validate inline bash, written in Haskell

    Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • clair

    Vulnerability Static Analysis for Containers

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • grype

    A vulnerability scanner for container images and filesystems

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • slsa

    Supply-chain Levels for Software Artifacts

    Build secure CI and CD as same as suply chain process (SLSA)

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts