Kubernetes Security Checklist 2021

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • Scout APM - Less time debugging, more time building
  • OPS - Build and Run Open Source Unikernels
  • rbac-tool

    Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

    Role-Based Access Control (RBAC) should be configured for the Kubernetes cluster. Rights need to be assigned within the project namespace based on least privilege and separation of duties (RBAC-tool)

  • KubiScan

    A tool to scan Kubernetes cluster for risky permissions

    RBAC Rights should be audited regularly (KubiScan, Krane)

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • krane

    Kubernetes RBAC static Analysis & visualisation tool

    RBAC Rights should be audited regularly (KubiScan, Krane)

  • Kyverno

    Kubernetes Native Policy Management

    Use Policy engine (OPA, Kyverno)

  • sealed-secrets

    A Kubernetes controller and tool for one-way encrypted Secrets

    Secrets should be added to the container using the volumeMount mechanism or the secretKeyRef mechanism. For hiding secrets in source codes, for example, the sealed-secret tool can be used.

  • falco

    Cloud Native Runtime Security

    Use third-party security monitoring tool on all cluster nodes (Falco, Sysdig, Aqua Enterpise, NeuVector, Prisma Cloud Compute)

  • documentation

    Kata Containers version 1.x documentation (for version 2.x see https://github.com/kata-containers/kata-containers). (by kata-containers)

    For services with increased security requirements, it is recommended to use a low-level run-time with a high degree of isolation (gVisior, Kata-runtime)

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • lynis

    Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

    It is recommended to regularly scan packages and configuration for vulnerabilities(OpenSCAP profiles, Lynis)

  • kube-bench

    Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  • kube-hunter

    Hunt for security weaknesses in Kubernetes clusters

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  • scope

    Monitoring, visualisation & management for Docker & Kubernetes

    Build observability and visibility processes in order to understand what is happening in infrastructure and services (Luntry, WaveScope)

  • cvehound

    Check linux sources dump for known CVEs.

    It is recommended to regularly update the OS kernel version (CVEhound)

  • inspektor-gadget

    Collection of gadgets for debugging and introspecting Kubernetes applications using BPF

    All namespaces should have NetworkPolicy. Interactions between namespaces should be limited to NetworkPolicy following least privileges principles (Inspektor Gadget)

  • udica

    This repository contains a tool for generating SELinux security profiles for containers

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • oci-seccomp-bpf-hook

    OCI hook to trace syscalls and generate a seccomp profile

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • go2seccomp

    Generate seccomp profiles from go binaries

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • security-profiles-operator

    The Kubernetes Security Profiles Operator

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  • kubeaudit

    kubeaudit helps you audit your Kubernetes clusters against common security controls

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • kubescape

    Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer and image vulnerabilities scanning.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • conftest

    Write tests against structured configuration data using the Open Policy Agent Rego query language

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • kubesec

    Security risk analysis for Kubernetes resources

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • checkov

    Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  • syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    It is necessary to explicitly indicate the versions of the installed packages. The SBOM building tools (Syft) can be used to determine the list of packages.

  • hadolint

    Dockerfile linter, validate inline bash, written in Haskell

    Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

  • trivy

    Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • clair

    Vulnerability Static Analysis for Containers

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • grype

    A vulnerability scanner for container images and filesystems

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  • slsa

    Supply-chain Levels for Software Artifacts

    Build secure CI and CD as same as suply chain process (SLSA)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts