- tl;dr sec
- Posts
- Tooling Up
Tooling Up
On this page: Let's set up some of the tools that will help you gather information about your Kubernetes environment.
Table of Content
Introduction:
Understanding Your Environment:
Understanding Your Risk:
Wrapping Up:
There will be a few example commands throughout this write-up that will help you gather information.
I suggest when you’re trying to interact with a cluster, you have at minimum, these tools installed and ready to go:
I pronounce kubectl, kube cuddle. Pick your side. Countdown to #KubeCon#Kubernetes
— Michael Mattsson 💾 (@datamattsson)
3:30 PM • Nov 12, 2019
Let’s run some tools to dump a bunch of information about the clusters.
Kubeaudit
Kubeaudit is a tool from Shopify that excels in its simplicity. Simply running kubeaudit all
will return a multitude of issues that are worth inspecting. Consider giving it to your DevOps teams and telling them to provide a report of all the clusters.
Kube Bench
Kube-Bench remains the de facto standard for the first tool you can blindly run on your clusters to get some feedback on. This is doing its best to compare itself with the CIS Kubernetes Benchmarks to dump a report on whether your cluster adheres to the best practices. More on this later.
git clone [email protected]:aquasecurity/kube-bench.git
kubectl apply -f job-master
kubectl logs {nameofpod}
They even give you an unactionable score card which is nice.
== Summary ==
40 checks PASS
13 checks FAIL
12 checks WARN
0 checks INFO
Trivy
And then we’ll do Trivy, a newer open source, (some may say excessive) vulnerability scanning tool acquired by Aqua. Trivy will give you lots of information about vulnerabilities in your images, its dependencies, and you’ll have to assess what’s useful.
Kubectl
Many of the tools you’ll find are just wrappers for the kubectl
CLI tool. One of the first steps to better understanding is dumping the cluster info:
$ kubectl cluster-info dump > cluster_info.txt
Or if you want to review it right now:
$ kubectl cluster-info dump | jq -C . | less -R
The kubectl-neat command is also useful to cleanup the output to be more readable:
$ kubectl neat get pod -A
Now that you have a giant pile of information information about your cluster and various scores and ratings, it’s time to hand it over to management.
…No that doesn’t seem right. Let’s hold on to it and see if it’ll be useful later.