K8s Security Tools Karthik Gaekwad @iteration1 The Dog Days of Devops, August 2018

Karthik Gaekwad @iteration1 • Used to be a dev. • Cloud Native Evangelist, Oracle Cloud Infrastructure • My worlds are colliding… • Reading K8s hardening docs. • Here’s what I have

https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/

3 tools you should know • Kube-bench • Kubesec • KubeAudit

Kube-bench • https://github.com/aquasecurity/kube-bench • “The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.” • Defined by the CIS Benchmarks Docs: https:// www.cisecurity.org/cis-benchmarks/ • Run it against your Kubernetes Master, or Kubernetes node.

Kube-bench Example

Kubesec • https://kubesec.io/ from controlplane • Helps you quantify risk for K8s resources. • Run against your K8s applications (deployments/pods/ daemonsets etc) • Can be used standalone, or as a kubectl plugin (https:// github.com/stefanprodan/kubectl-kubesec)

Kubesec Example

KubeAudit • Opensourced from Shopify. • https://github.com/Shopify/kubeaudit • Helps with auditing your applications in your K8s cluster. • Little more targeted than Kubesec.

Kubeaudit Example

Moar! • Check the resources from this talk by Michael Hausenblas: https://speakerdeck.com/mhausenblas/ kubernetes-security-from-image-hygiene-to-networkpolicies

Fin • More cool tools? Tweet me @iteration1