With over 30 security settings under the control of every single developer, you need to be a Kubernetes expert to understand if the final configuration introduces a high risk to your cluster. With a single change to a single file, you can open your entire Kubernetes cluster to attacks, leak secrets, risk confidential data, or accidentally give public access to private services.
Octarine believes in making security easy for everyone. Kube-scan is a quick and easy-to-run, open source security risk assessment tool that instantly tells you the security posture of your Kubernetes clusters.
Kube-scan is a pod that runs inside your cluster. It scans all your manifest files, analyzes security settings and gives you a security score for your workloads through a simple Web UI. For each workload, you’ll get a clear explanation of the risk factors, what settings remediate or aggravate risks, and what the potential consequences are (container escape, man-in-the-middle, unwanted interactions between containers, and so on).
Kube-scan is designed to help you understand which of your workloads are most at risk and why, and enable you to prioritize updates to your Pod Security Policy, Pod definitions, and manifest files to keep your risk in check.
Kube-scan analyzes over 30 security settings including privilege levels, capabilities, and Kubernetes policies and establishes a risk baseline. Then it analyzes how these settings work in tandem so that you can understand what combinations will decrease (or increase) your level of risk. For example, the combination of potential local access risks (privileged container, container running as root) and remote access (listening to a port, no Kubernetes Ingress policy, etc.) is at a greater risk if the service is exposed to the Internet through a Load Balancer, a host port, or a shared host network.
Kube-scan also takes into consideration the ease of exploitation, and the impact and scope of exploits. This is similar to the Common Vulnerability Scoring System (CVSS). The combination of risks, remediation, aggravations factors, exploitability and impact is scored between 0 (safe) to 10 (very risky). The exact rules and scoring formula are part of the open source framework KCCSS, the Kubernetes Common Configuration Scoring System.