kube-scan: A free risk assessment tool for Kubernetes Workloads

Instantly find out if your Kubernetes workloads are at risk with kube-scan

With over 30 security settings under the control of every single developer, you need to be a Kubernetes expert to understand if the final configuration introduces a high risk to your cluster. With a single change to a single file, you can open your entire Kubernetes cluster to attacks, leak secrets, risk confidential data, or accidentally give public access to private services. 

Octarine believes in making security easy for everyone, so today we have released kube-scan, a quick and easy-to-run security risk assessment tool that instantly tells you the security posture of your Kubernetes clusters.

A safe and easy way to assess your security posture

kube-scan is a pod that runs inside your cluster. It scans all your manifest files, analyzes security settings and gives you a security score for your workloads through a simple Web UI. For each workload, you’ll get a clear explanation of the risk factors, what settings remediate or aggravate risks, and what the potential consequences are (container escape, Man-in-the-Middle, unwanted interactions between containers, and so on).

kube-scan is designed to help you understand which of your workloads are most at risk and why, and enable you to prioritize updates to your Pod Security Policy, Pod definitions, and manifest files to keep your risk in check.

How kube-scan calculates a risk score

kube-scan analyzes over 30 security settings including privilege levels, capabilities, and Kubernetes policies and establishes a risk baseline. Then it analyzes how these settings work in tandem so that you can understand what combinations will decrease (or increase) your level of risk. For example, the combination of potential local access risks (privileged container, container running as root) and remote access (listening to a port, no Kubernetes Ingress policy, etc.) is at a greater risk if the service is exposed to the Internet through a Load Balancer, a host port, or a shared host network.

kube-scan also takes into consideration the ease of exploitation, and the impact and scope of exploits. This is similar to the Common Vulnerability Scoring System (CVSS). The combination of risks, remediation, aggravations factors, exploitability and impact is scored between 0 (safe) to 10 (very risky).

How to install kube-scan

kube-scan is a single-pod deployment with a YAML file to help deploy it quickly to your cluster. The pod contains the manifest scanner, scoring engine, and the web UI. 

No data leaves the containers. There is no ingress or egress access, and no data is sent or retrieved from Octarine. It is safe to run in any environment and can be deleted after you access the risk score page. You can find the instructions to deploy kube-scan on github: https://github.com/octarinesec/kube-scan

There are two ways to deploy the kube-scan container:

Direct access to the kube-scan pod

This command installs and starts the kube-scan pod:

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan.yaml

Then, proxy your local port 8080 to the pod’s port 80 in the cluster:

kubectl port-forward --namespace kube-scan svc/kube-scan-ui 8080:80

Once the pod is running, simply connect to this URL to see the scan results:

http://localhost:8080/

kube-scan behind a load balancer

If you prefer to not create a port-forward to kube-scan Web UI, you can deploy kube-scan behind a load balancer:

kubectl apply -f https://raw.githubusercontent.com/octarinesec/kube-scan/master/kube-scan-lb.yaml

Then, get the hostname used to access the Web Ui through the load balancer:

kubectl -n kube-scan get service kube-scan-ui -o jsonpath={..hostname}

This will display the hostname you need to connect to over port 80:

http://:8080/

Browse the kube-scan Web UI

After the installation is done, you can see the risk score for all your workloads. Click on any risk to see a breakdown of the risk factors.

The score is calculated once, when the pod starts. If you would like to run a new scan, delete the pod. You can install kube-scan in multiple clusters to compare your security posture in different environments.

What’s next?

kube-scan is a great tool to get visibility into the risks of your workloads. Octarine provides a much broader security solution that gives you visibility and control of your Kubernetes set up and run time through the lifecycle of your applications, from building containers, CI/CD, to running in production.

If you have any questions about kube-scan or would like to learn more about how Octarine is uniquely positioned to secure your Kubernetes clusters, visit us at https://info.octarinesec.com/kube-scan

Come see us at KubeCon! 

The Octarine team is at KubeCon 2019 in San Diego this week. Come find us at Booth SE53 for a live demo of kube-scan and to learn more about our full suite of solutions. If you’d like to schedule a time to meet with our CTO, email tom@octarinesec.com