Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Host Security

676c8aec28ade455c442e648abfa1db5?s=47 Liz Rice
October 25, 2018

Kubernetes Host Security

Using kube-bench and kube-hunter to test the configuration of Kubernetes components in your deployment. Presented at the Kubernetes meetup at Wantedly, Tokyo.


Liz Rice

October 25, 2018


  1. Copyright @ 2018 Aqua Security Software Ltd. All Rights Reserved.

    Securing your Kubernetes hosts Liz Rice @lizrice | @aquasecteam
  2. 2 Agenda n Kubernetes configuration for security n CIS benchmarks

    – testing the configuration n Penetration testing – testing for vulnerabilities
  3. 6 Kubernetes configuration n Kubernetes components installed on your servers

    n Master & node components n Many configuration settings have a security impact n Example: open Kubelet port = root access n Defaults depend on the installer What config settings should I use?
  4. 7 CIS Kubernetes Benchmark

  5. 8 kube-bench n Open source automated tests for CIS Kubernetes

    Benchmark n Tests for Kubernetes Masters and Nodes n Available as a container github.com/aquasecurity/kube-bench
  6. 9

  7. 10 kube-bench n Job configuration YAML n Run regularly to

    ensure no configuration drift n Tests defined in YAML n Released code follows the CIS Benchmark n Modify for your own purposes github.com/aquasecurity/kube-bench
  8. 11 Kubernetes & Docker CIS Benchmarks n Built into the

    Aqua CSP n Provides a scored report of the results n Can be scheduled to run daily
  9. Kubernetes penetration testing

  10. 13 kube-hunter n Open source penetration tests for Kubernetes n

    See what an attacker would see n github.com/aquasecurity/kube-hunter n Online report viewer n kube-hunter.aquasec.com How do I know the config is working to secure my cluster?
  11. 14 kube-hunter.aquasec.com

  12. 16

  13. kube-hunter with kube-bench

  14. 18

  15. 19

  16. 20

  17. 21 Authored by Liz Rice from Aqua Security and Michael

    Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security
  18. 22 Security for containers & cloud native apps Open-source tools

    for Kubernetes security Find them on GitHub Q&A www.aquasec.com