kubeaudit is a command line tool to audit Kubernetes clusters for various
different security concerns: run the container as a non-root user, use a read
only root filesystem, drop scary capabilities, don't add new ones, don't run
privileged, ... You get the gist of it and more on that later. Just know:
Kubeaudit has official releases that are blessed and stable here: Official releases
Master will have newer features than the stable releases. If you need a newer feature not yet included in a release you can do the following to get kubeaudit:
go get -v github.com/Shopify/kubeaudit
make
make installNow you can just call kubeaudit with one of commands from here
kubeaudit has three different modes for its audits:
kubeaudit cmdwill attempt to create an in-cluster client and audit.kubeaudit -l/--local cmdwill use your kubeconfig (~/.kube/configor if you need different path use-c /config/pathkubeaudit -f/--manifest /path/to/manifest.ymlwill audit the manifest
kubeaudit supports to different output types:
- just running
kubeauditwill log human readable output - if run with
-j/--jsonit will log output json formatted so that its output can be used by other programs easily
kubeaudit has 4 different log levels INFO, WARN, ERROR controlled by
-v/--verbose LEVEL and for those who counted and want to work on kubeaudit
DEBUG
- by default the debug level is set to
ERRORand will logINFO,WARNandERROR - if you only care about
ERRORset it toERROR - if you care about
ERRORandWARNset it toWARN
But wait! Which version am I actually running? kubeaudit version will tell you.
I need help! Run kubeaudit help every audit has its own help so you can run
kubeaudit help sc
Last but not least before we look at the audits: kubeaudit -a/--allPods
audits against pods in all the phases (default Running Phase)
As humans we are lazy and kubeaudit knows that so it comes with the functionality to autofix workload manifests. Point it at your workload manifests and it will automagically fix everything so that manifests are as secure as it gets.
kubeaudit autofix -f path/to/manifest.yml
The manifest might end up a little too secure for the work it is supposed to do. If that is the case check out labels to opt out of certain checks.
kubeaudit has multiple checks:
- Audit all
- Audit security context
- Audit image
- Audit Service Accounts
- Audit network policies
- Audit resources
Runs all the above checks.
kubeaudit -l all
ERRO[0000] RunAsNonRoot is not set, which results in root user being allowed!
ERRO[0000] Default serviceAccount with token mounted. Please set automountServiceAccountToken to false
WARN[0000] Privileged defaults to false, which results in non privileged, which is okay.
ERRO[0000] Capability not dropped CapName=AUDIT_WRITEThe security context holds a couple of different security related
configurations. For convenience, kubeaudit will always log the following
information when it creates a log:
kubeaudit -l command
LOG[0000] KubeType=deployment Name=THEdeployment Namespace=deploymentNSAnd for brevity, the information will not be shown in the commands below.
Currently, kubeaudit is able to check for the following fields in the security context:
kubeaudit will detect whether readOnlyRootFilesystem is either not set nil or explicitly set to false
kubeaudit -l rootfs
ERRO[0000] ReadOnlyRootFilesystem not set which results in a writable rootFS, please set to true
ERRO[0000] ReadOnlyRootFilesystem set to false, please set to truekubeaudit will detect whether the container is to be run as root:
kubeaudit -l nonroot
ERRO[0000] RunAsNonRoot is set to false (root user allowed), please set to true!
ERRO[0000] RunAsNonRoot is not set, which results in root user being allowed!kubeaudit will detect whether allowPrivilegeEscalation is either set to nil or explicitly set to false
kubeaudit -l allowpe
ERRO[0000] AllowPrivilegeEscalation set to true, please set to false
ERRO[0000] AllowPrivilegeEscalation not set which allows privilege escalation, please set to falsekubeaudit will detect whether the container is to be run privileged:
kubeaudit -l priv
ERRO[0000] Privileged set to true! Please change it to false!Since we want to make sure everything is intentionally configured correctly kubeaudit warns about privileged not being set:
kubeaudit -l priv
WARN[0000] Privileged defaults to false, which results in non privileged, which is okay.Docker comes with a couple of capabilities that shouldn't be needed and
therefore should be dropped. kubeaudit will also complain about added capabilities.
If the capabilities field doesn't exist within the security context:
kubeaudiit -l caps
ERRO[0000] Capabilities field not defined!When capabilities were added:
kubeaudiit -l caps
ERRO[0000] Capability added CapName=NET_ADMINconfig/caps
holds a list of capabilities that we recommend be dropped, change it if you
want to keep some of the capabilities otherwise kubeaudit will complain about
them not being dropped:
kubeaudiit -l caps
ERRO[0000] Capability not dropped CapName=AUDIT_WRITEkubeaudit can check for image names and image tags:
- If the image tag is incorrect an ERROR will issued
kubeaudit -l image -i gcr.io/google_containers/echoserver:1.7
ERRO[0000] Image tag was incorrect- If the image doesn't have a tag but an image of the name was found a WARNING will be created:
kubeaudit -l image -i gcr.io/google_containers/echoserver:1.7
WARN[0000] Image tag was missing- If the image was found with correct tag
kubeauditnotifies with an INFO message:
kubeaudit -l image -i gcr.io/google_containers/echoserver:1.7
INFO[0000] Image tag was correctIt audits against the following scenarios:
- A default serviceAccount mounted with a token:
kubeaudit -l sat
ERRO[0000] Default serviceAccount with token mounted. Please set AutomountServiceAccountToken to false- A deprecated service account:
kubeaudit -l sat
WARN[0000] serviceAccount is a deprecated alias for ServiceAccountName, use that one instead DSA=DeprecatedServiceAccountIt checks that every namespace should have a default deny network policy installed. See Kubernetes Network Policies for more information:
# don't specify -l or -c to run inside the cluster
kubeaudit np
WARN[0000] Default allow mode on test/testingIt checks that every resource has a CPU and memory limit. See Kubernetes Resource Quotas for more information:
kubeaudit -l limits
WARN[0000] CPU limit not set, please set it!
WARN[0000] Memory limit not set, please set it!With the --cpu and --memory parameters, kubeaudit can check the limits not to be exceeded.
kubeaudit -l limits --cpu 500m --memory 125Mi
WARN[0000] CPU limit exceeded, it is set to 1 but it must not exceed 500m. Please adjust it! !
WARN[0000] Memory limit exceeded, it is set to 512Mi but it must not exceed 125Mi. Please adjust it!Override labels give you the ability to have kubeaudit allow certain audits to fail.
For example, if you want kubeaudit to ignore the fact that AllowPrivilegeEscalation was set to true, you can add the following label:
spec:
template:
metadata:
labels:
apps: YourAppNameHere
kubeaudit.allow.privilegeEscalation: "YourReasonForOverrideHere"Any label with a non-nil reason string will prevent kubeaudit from throwing the corresponding error and issue a warning instead.
Reasons matching "true" (not case sensitive) will be displayed as Unspecified.
kubeaudit supports many labels:
- kubeaudit.allow.privilegeEscalation
- kubeaudit.allow.privileged
- kubeaudit.allow.capability
- kubeaudit.allow.runAsRoot
- kubeaudit.allow.automountServiceAccountToken
- kubeaudit.allow.readOnlyRootFilesystemFalse
Allows allowPrivilegeEscalation to be set to true.
kubeaudit.allow.privilegeEscalation: "Superuser privileges needed"
WARN[0000] Allowed setting AllowPrivilegeEscalation to true Reason="Superuser privileges needed"Allows privileged to be set to true.
kubeaudit.allow.privileged: "Privileged execution required"
WARN[0000] Allowed setting privileged to true Reason="Privileged execution required"Allows adding a capability or keeping one that would otherwise be dropped.
kubeaudit.allow.capability.chown: "true"
WARN[0000] Capability allowed CapName=CHOWN Reason=UnspecifiedAllows setting runAsNonRoot to false.
kubeaudit.allow.runAsRoot: "Root privileges needed"
WARN[0000] Allowed setting RunAsNonRoot to false Reason="Root privileges needed"Allows setting automountServiceAccountToken to true.
kubeaudit.allow.autmountServiceAccountToken: "True"
WARN[0000] Allowed setting automountServiceAccountToken to true Reason=UnspecifiedAllows setting readOnlyRootFilesystem to false
kubeaudit.allow.readOnlyRootFilesystemFalse: "Write permissions needed"
WARN[0000] Allowed setting readOnlyRootFilesystem to false Reason="Write permissions needed"If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our Code of Conduct.
- Create your own fork!
- Get the source:
go get github.com/Shopify/kubeaudit - Go to the source:
cd $GOPATH/src/github.com/Shopify/kubeaudit - Add your forked repo as a fork:
git remote add fork https://github.com/you-are-awesome/kubeaudit - Create your feature branch:
git checkout -b awesome-new-feature - Run the tests to see everything is working as expected:
make test - Commit your changes:
git commit -am 'Adds awesome feature' - Push to the branch:
git push fork - Submit a PR
- ???
- Profit