Top 19 kubernetes-security Open-Source Projects

• kube-bench

  24 6,659 8.4 Go

  Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

  

Project mention: Cloud Security and Resilience: DevSecOps Tools and Practices | dev.to | 2024-05-01

2. Kubebench: https://github.com/aquasecurity/kube-bench Kubebench is an open-source tool that checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.

• kubernetes-learning-path

  2 6,522 8.3

  A roadmap to learn Kubernetes from scratch (Beginner to Advanced level)

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• kubernetes-goat

  18 3,882 4.7 HTML

  Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

• CDK

  5 3,661 2.8 Go

  📦 Make security testing of K8s, Docker, and Containerd easier.

  

Project mention: A morning with the Rabbit R1: a fun, funky, unfinished AI gadget | news.ycombinator.com | 2024-04-24

It does show how incompetent the attacker was, I report below what Retr0id wrote in the issue:

"tl;dr: The "leak" seems real, but doesn't prove any of the claims made in the readme.

This statement from Peiyuan Liao, the rabbit CTO, is consistent with what I'm seeing here: https://twitter.com/liaopeiyuan/status/ 1782922595199033662

So the "leak" is a bit of a nothingburger, containing partial code for the relatively boring process of letting users authenticate with online services through a sandboxed browser session, from which auth tokens etc. can be extracted. You can't infer anything about how LAM does or doesn't work from this.

They likely used "kiosk escape" tricks to get code exec within the box that runs the browser. Assuming their sandboxing is all set up correctly, this isn't particularly concerning, but it does expose the code that runs within the sandbox for analysis. That's what we appear to have here.

The attacker left behind a file named cdk.log, which is an artifact of https://github.com/cdk-team/CDK/, a container pentesting tool. They were clearly trying to escape the sandbox and pivot to somewhere more interesting, but I don't think they managed it. I think "part 2" is a bluff, this is all they have (feel free to prove me wrong, lol).

But that doesn't mean there's nothing here. Lets look at what we do have.

The most interesting detail to me is a package name list in repo/ typescript/common/base-tsconfig.json

[...]

The only code actually present is for q-web-minion-

What follows is my speculation based on the names alone:

"q" seems like a codename for the rabbit device (so q-hole rabbit hole). Q might stand for "quantum".

The problem with trying to log into and interface with consumer-facing services from 'the cloud" is that you'll get IP rate limited, blocked as a bot, etc. It would make sense to proxy traffic back out through the user's device, and that's what I'd hope q-proxy is about. The big downside with this is that it ~doubles latency and halves available bandwidth, magnifying any deficiencies of a flaky 4G connection. This is perhaps partly why their doordash demo chugged so hard. (protip to the team; use a caching proxy, with SSL, MitM. Detect CDN URLs and don't proxy those.)

This is a total stab in the dark but my guess is that bunny-host is where the LAM action happens, and bunny-builder is for LAM training.

cm-quantum-peripheral-common might be the wrist-mounted device teased in the launch event.

Addendum:

It's also possible there were some juicy credentials accessible within the container. But if there were, they aren't in this leak. In particular, it looks like they're using GCP "service account keys' (/credentials/ cm-gcp-service-account-quantum-workload/gcp-service-account- quantum-workload.json), which according to google's docs "create a security risk and are not recommended. Unlike the other credential file types, compromised service account keys can be used by a bad actor without any additional information".

There isn't enough information here (and/or my analysis isn't deep enough - "cloud" is not my forte) to determine if that'll cause any issues in practice, but if there really is a "part 2" leak, I'd guess this is how they got it."

I OCR two screenshots that I did so there could be errors.

• Certified-Kubernetes-Security-Specialist

  5 1,919 2.1 AGS Script

  Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.

• stratus-red-team

  8 1,621 8.7 Go

  :cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud

  

• kubeclarity

  5 1,261 7.9 Go

  KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems

  

Project mention: Building Secure Docker Images for Production - Best Practices | dev.to | 2023-06-30

In the following steps, we use a local Kubernetes cluster (such as kind) to test the image. With the cluster up and running, let's install some tooling to help us with image scanning. In this case, we're using KubeClarity. Follow the installation instructions in the README to install it into your development cluster.

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

• kubestriker

  8 979 0.0 Python

  A Blazing fast Security Auditing tool for Kubernetes

  

• paralus

  4 932 8.1 Go

  All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs.

  

• awesome-kubernetes-security

  1 885 3.1

  A curated list of awesome Kubernetes security resources

  

• constellation

  31 870 9.9 Go

  Constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.

  

Project mention: Using "Confidential Computing" with Hetzner? (Intel SGX/TDX, AMD SEV/SNP) | /r/hetzner | 2023-05-16

A lot happening in Europe, Enclaive provides encrypting containers (GitHub), Edgeless Systems provides a whole encrypted k8s with constellation (GitHub), then there are other players like scontain and secustack.

• KubeHound

  2 653 9.0 Go

  Kubernetes Attack Graph

  

Project mention: KubeHound: Kubernetes Attack Graph | /r/blueteamsec | 2023-10-09

• eBPF-Guide

  12 460 4.9 Go

  eBPF (extended Berkeley Packet Filter) Guide. Learn all about the eBPF Tools and Libraries for Security, Monitoring , and Networking.

• rbac-police

  8 322 0.0 Go

  Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

  

• managed-kubernetes-auditing-toolkit

  1 229 7.6 Go

  All-in-one auditing toolkit for identifying common security issues in managed Kubernetes environments. Currently supports Amazon EKS.

  

Project mention: Auditing AWS EKS Pod Permissions | dev.to | 2024-02-29

Datadog also maintains the Managed Kubernetes Auditing Toolkit (MKAT), which can be installed to perform similar permission checks.

• awesome-falco

  2 197 1.8

  A curated list of Falco related tools, frameworks, blogs, podcasts, and articles

• Kubewarden

  4 132 9.5 Rust

  Kubewarden is a policy engine for Kubernetes. It helps with keeping your Kubernetes clusters secure and compliant. Kubewarden policies can be written using regular programming languages or Domain Specific Languages (DSL) sugh as Rego. Policies are compiled into WebAssembly modules that are then distributed using traditional container registries.

  

• github-action

  2 16 7.7 Shell

  GitHub action to run Kubescape scans (by kubescape)

  

Project mention: My CNCF LFX Mentorship Spring 2023 Project at Kubescape | dev.to | 2023-05-14

(merged) kubescape/github-action #32 Support for code reviews instead with PRs

• deprecated-api-versions-policy

  1 15 6.9 Rust

  A Kubewarden Policy that detects usage of deprecated and dropped Kubernetes resources

  

Project mention: Isint release cycle becoming a bit crazy with monthly releases and deprecations ? | /r/kubernetes | 2023-07-11

If you use something like kubewarden, people write policies and update them on GitHub for example

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

kubernetes-security related posts

• Evaluating and securing your Kubernetes infrastructure with kube-bench

  1 project | dev.to | 25 Aug 2023

• Building Secure Docker Images for Production - Best Practices

  4 projects | dev.to | 30 Jun 2023

• Security starts before the production deployment

  2 projects | dev.to | 15 Jun 2023

• Using "Confidential Computing" with Hetzner? (Intel SGX/TDX, AMD SEV/SNP)

  1 project | /r/hetzner | 16 May 2023

• A tool that scans repos and workout latest version and pull date of installed version + how to lock down repos (via some cluster policy?)

  2 projects | /r/kubernetes | 27 Apr 2023

• Resources to pass the CKS exam?

  1 project | /r/kubernetes | 9 Mar 2023

• Where are you hosting your Managed Kubernetes and why?

  1 project | /r/kubernetes | 5 Mar 2023
• A note from our sponsor - InfluxDB
  www.influxdata.com | 9 May 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com