โ KubeAudit - Audit Kubernetes clusters
๐ Overviewโ
This scenario is very useful in performing Kubernetes security audits and assessments. Here we will learn to run an open-source tool called kubeaudit
for the Kubernetes cluster and use the results for the further exploitation or fixing of the misconfigurations and vulnerabilities. This is very important and mandates if you are coming from an audit and compliance background in the modern world of containers, Kubernetes, and cloud native ecosystems.
By the end of the scenario, we will understand and learn the following
- You will learn to perform Kubernetes audit for Kubernetes clusters
- Working with open source utilities to perform audits and investigations of the cluster resources
- Gain visibility of the entire Kubernetes cluster security posture and understand the risks
โก๏ธ The storyโ
This scenario is mainly to perform the audit of the Kubernetes Cluster for various security concerns using the open-source tool kubeaudit
by Shopify.
To get started with this scenario you can run the following command to start the hacker-container
with cluster administrator privileges (as the tiller service account already has that)
kubectl run -n kube-system --serviceaccount=tiller --rm --restart=Never -it --image=madhuakula/hacker-container -- bash
๐ฏ Goalโ
The goal of this scenario is to perform the Kubernetes security audit and obtain the results from the audit.
๐ช Hints & Spoilersโ
โจ Not sure how to run the audit?
๐ Solution & Walkthroughโ
๐ฒ Method 1โ
kubeaudit
is a command-line tool and a Go package to audit Kubernetes clusters for various security concerns, such as:
- run as non-root
- use a read-only root filesystem
- drop scary capabilities, don't add new ones
- don't run privileged
- and more!
Refer to https://github.com/Shopify/kubeaudit for more details about the project
- To get started with this scenario you can run the following command to start the
hacker-container
with cluster administrator privileges (as the tiller service account already has that)
kubectl run -n kube-system --serviceaccount=tiller --rm --restart=Never -it --image=madhuakula/hacker-container -- bash
- Run the
kubeaudit
in cluster mode. Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster
kubeaudit all
-
Now based on the vulnerabilities you see from the kubeaudit, you can proceed with further exploitation
-
Hooray ๐ฅณ , now we can see that it returns the all security issues/misconfigurations from the cluster