tl;dr sec
Posts
Tooling Up

Tooling Up

Mark Manning
June 08, 2023

On this page: Let's set up some of the tools that will help you gather information about your Kubernetes environment.

Table of Content

Introduction:
Understanding Your Environment:
Understanding Your Risk:
Wrapping Up:
- Putting It All Together
- Further Reading

There will be a few example commands throughout this write-up that will help you gather information.

I suggest when you’re trying to interact with a cluster, you have at minimum, these tools installed and ready to go:

kubectl: CLI to a Kubernetes cluster
krew: Community supported plugins for kubectl. Many of the demos are going to be using krew plugins.

I pronounce kubectl, kube cuddle. Pick your side. Countdown to #KubeCon#Kubernetes
— Michael Mattsson 💾 (@datamattsson)
Nov 12, 2019

Let’s run some tools to dump a bunch of information about the clusters.

Kubeaudit

Kubeaudit is a tool from Shopify that excels in its simplicity. Simply running kubeaudit all will return a multitude of issues that are worth inspecting. Consider giving it to your DevOps teams and telling them to provide a report of all the clusters.

Kube Bench

Kube-Bench remains the de facto standard for the first tool you can blindly run on your clusters to get some feedback on. This is doing its best to compare itself with the CIS Kubernetes Benchmarks to dump a report on whether your cluster adheres to the best practices. More on this later.

git clone [email protected]:aquasecurity/kube-bench.git
kubectl apply -f job-master
kubectl logs {nameofpod}

They even give you an unactionable score card which is nice.

== Summary ==
40 checks PASS
13 checks FAIL
12 checks WARN
0 checks INFO

Trivy

And then we’ll do Trivy, a newer open source, (some may say excessive) vulnerability scanning tool acquired by Aqua. Trivy will give you lots of information about vulnerabilities in your images, its dependencies, and you’ll have to assess what’s useful.

Kubectl

Many of the tools you’ll find are just wrappers for the kubectl CLI tool. One of the first steps to better understanding is dumping the cluster info:

$ kubectl cluster-info dump > cluster_info.txt

Or if you want to review it right now:

$ kubectl cluster-info dump | jq -C . | less -R

The kubectl-neat command is also useful to cleanup the output to be more readable:

$ kubectl neat get pod -A

Now that you have a giant pile of information information about your cluster and various scores and ratings, it’s time to hand it over to management.

…No that doesn’t seem right. Let’s hold on to it and see if it’ll be useful later.