beawolf - Fotolia
How do I audit a Kubernetes environment?
IT teams should audit their Kubernetes configuration files to uncover -- and address -- coding mishaps and vulnerabilities. Fortunately, third-party and native Kubernetes tools automate the process.
To deploy applications on Kubernetes, admins must write relatively extensive configuration files that define how Kubernetes should manage the applications.
Kubernetes admins often write additional configuration files to manage other aspects of their clusters, such as RoleBinding and ClusterRoleBinding files for role-based access control. They also write pod security policies to define the security rules a cluster must follow.
While it can be tedious to write all this configuration code, it offers an opportunity to automatically audit Kubernetes configuration files with tools that parse the code for settings that might lead to security issues or other problems.
Below is an overview of auditing methods and tools for Kubernetes deployments and other configuration files.
Basic Kubernetes auditing
The most basic Kubernetes auditing task is to verify whether configuration code is valid. There are several free online tools designed to check code written in YAML -- the standard used for Kubernetes configuration code -- such as Kube YAML and YAML Lint. Some of these tools also help optimize code to make it more readable.
Because these tools don't integrate with the Kubernetes cluster, they can't validate whether everything defined within a YAML file will work in a live environment. Nonetheless, they are useful to perform basic audits and identify coding mistakes that might prevent Kubernetes from running successfully.
Kubernetes security auditing tools
Auditing Kubernetes configuration files for security vulnerabilities is more complex, but also more critical, than the basic Kubernetes auditing tasks described above. Security audits identify configuration issues that might lead to unauthorized access to a Kubernetes resource, enable attackers to disrupt workloads or result in other vulnerabilities.
There are several third-party security auditing tools for Kubernetes. Shopify offers a basic tool, kubeaudit, which checks for security misconfigurations, such as containers running as the root user. Kube-bench, from Aqua Security, provides deeper audits to verify whether configurations align with benchmarks defined by the Center for Internet Security, a community-driven nonprofit organization. Aqua also offers kube-hunter, which provides more basic security auditing functionality than kubeaudit.
Another auditing tool is Kubesec.io from Controlplane, a container security and continuous delivery consultancy. This tool analyzes Kubernetes configurations and assigns them scores that reflect how closely they align with the security best practices defined by Kubesec.io developers. Kubesec.io runs continuously to perform ongoing audits in real time; most other Kubernetes security auditing tools provide only one-off checks, and need to run again to validate a new configuration after any deployments or policy file updates.
Native features to audit Kubernetes
Kubernetes also provides a built-in auditing framework that caters primarily to security auditing. This framework doesn't audit configuration files for potential security issues, but enables admins to track and record access events involving Kubernetes resources. Write audit policy files that define which types of events to record, and what information to record about them.
Although this native Kubernetes auditing tool doesn't identify security vulnerabilities before a Kubernetes application or other resource deployment, it does help identify security issues as they arise, and is useful to research past security problems.