Introduction:
Kubernetes, the container orchestration platform, has revolutionized the way we deploy and manage containerized applications. However, with great power comes great responsibility, and securing Kubernetes environments is paramount. In this blog post, we'll delve into the Starboard Operator, a powerful tool designed to enhance security within Kubernetes clusters.
Understanding Kubernetes Security Challenges
Kubernetes security involves multiple layers, including container images, runtime security, network policies, and access controls. Ensuring the security of each of these layers is crucial to safeguarding your applications and data.
Introduction to Starboard
_Starboard is an open-source Kubernetes-native security toolkit developed by Aqua Security. It provides a set of tools and custom resources to perform security and compliance checks within Kubernetes clusters. Starboard extends Kubernetes functionality, allowing users to scan container images and Kubernetes resources for vulnerabilities, misconfigurations, and other security issues.
_
Key Features of Starboard Operator
1. Container Image Scanning
Starboard enables users to scan container images for vulnerabilities using popular security databases like CVE. By integrating with image scanners, Starboard ensures that only secure and trusted container images are deployed within the cluster.
root@master:~/vault# kubectl starboard get vulnerabilities
2. Kubernetes Resource Scanning
In addition to image scanning, Starboard performs security checks on Kubernetes resources. This includes ConfigAudit checks to ensure that configurations align with security best practices.
root@master:~/vault# kubectl starboard get configauditreports
3. Custom Resource Definitions
Starboard introduces custom resources such as VulnerabilityReport and ConfigAuditReport. These resources provide detailed information about vulnerabilities and configuration issues, making it easier for users to understand and address security concerns.
root@master:~/vault# kubectl get vulnerabilityreports
root@master:~/vault# kubectl get configauditreports
Installing Starboard Operator
Installing Starboard Operator is a straightforward process. Users can deploy it using standard Kubernetes manifests or Helm charts. The official Aqua Security documentation provides clear instructions for the installation process.
root@master:~/vault# helm install starboard-operator aqua/starboard-operator --namespace starboard-system --create-namespace --set="trivy.ignoreUnfixed=true" --version 0.10.12
root@master:~/vault# kubectl get pods -n starboard-system
NAME READY STATUS RESTARTS AGE
starboard-operator-5dbd48d67-6zh8v 1/1 Running 0 46m
Inspect created VulnerabilityReports by
root@master:~/vault# kubectl get vulnerabilityreports --all-namespaces -o wide
NAMESPACE NAME REPOSITORY TAG SCANNER AGE CRITICAL HIGH MEDIUM LOW UNKNOWN
argocd replicaset-argocd-repo-server-6f5d866457-argocd-repo-server argoproj/argocd v2.9.2 Trivy 45m 0 0 23 12 0
calico-system replicaset-846bc59bdd calico/kube-controllers v3.26.3 Trivy 47m 0 0 0 0 0
default replicaset-deathstar-8464cdd4d9-deathstar cilium/starwars latest Trivy 43m 0 0 0 0 0
metallb-system replicaset-controller-586bfc6b59-controller metallb/controller v0.13.12 Trivy 39m 0 2 8 0 0
Inspect created ConfigAuditReports by
root@master:~/vault# kubectl get configauditreports -n default -o wide
NAME SCANNER AGE CRITICAL HIGH MEDIUM LOW
replicaset-deathstar-8464cdd4d9 Starboard 72m 0 0 6 8
replicaset-nginx-54f8f9f495 Starboard 43m 0 0 6 7
Inspect created CISKubeBenchReports by
root@master:~/vault# kubectl get ciskubebenchreports -o wide
NAME SCANNER AGE FAIL WARN INFO PASS
master.homecluster.store kube-bench 72m 10 47 0 68
worker1.homecluster.store kube-bench 71m 1 33 0 19
worker2.homecluster.store kube-bench 55m 1 33 0 19
Deploying nginx in default namespace
root@master:~/vault# kubectl create deployment nginx --image nginx:1.16 -n default
root@master:~/vault# kubectl get pods -n default | grep nginx
nginx-54f8f9f495-n8s6m 1/1 Running 0 47m
Verify the vulnerability in nginx deployment
root@master:~/vault# kubectl get configauditreports --all-namespaces -o wide | grep default | grep nginx
default replicaset-nginx-54f8f9f495 Starboard 48m 0 0 6 7
root@master:~/vault# kubectl get configauditreports replicaset-nginx-54f8f9f495 -n default -o json
"report": {
"checks": [
{
"category": "Kubernetes Security Check",
"checkID": "KSV020",
"description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.",
"messages": [
"Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsUser' \u003e 10000"
],
"severity": "MEDIUM",
"success": false,
"title": "Runs with low user ID"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV037",
"description": "ensure that User pods are not placed in kube-system namespace",
"severity": "MEDIUM",
"success": true,
"title": "User Pods should not be placed in kube-system namespace"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV024",
"description": "HostPorts should be disallowed, or at minimum restricted to a known list.",
"severity": "HIGH",
"success": true,
"title": "Access to host ports"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV003",
"description": "The container should drop all default capabilities and add only those that are needed for its execution.",
"messages": [
"Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should add 'ALL' to 'securityContext.capabilities.drop'"
],
"severity": "LOW",
"success": false,
"title": "Default capabilities not dropped"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV013",
"description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.",
"severity": "LOW",
"success": true,
"title": "Image tag ':latest' used"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV021",
"description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.",
"messages": [
"Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsGroup' \u003e 10000"
],
"severity": "MEDIUM",
"success": false,
"title": "Runs with low group ID"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV001",
"description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
"messages": [
"Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.allowPrivilegeEscalation' to false"
],
"severity": "MEDIUM",
"success": false,
"title": "Process can elevate its own privileges"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV023",
"description": "HostPath volumes must be forbidden.",
"severity": "MEDIUM",
"success": true,
"title": "hostPath volumes mounted"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV025",
"description": "Setting a custom SELinux user or role option should be forbidden.",
"severity": "MEDIUM",
"success": true,
"title": "SELinux custom options set"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV029",
"description": "Containers should be forbidden from running with a root primary or supplementary GID.",
"severity": "LOW",
"success": true,
"title": "A root primary or supplementary GID set"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV002",
"description": "A program inside the container can bypass AppArmor protection policies.",
"severity": "MEDIUM",
"success": true,
"title": "Default AppArmor profile not set"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV007",
"description": "Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started.",
"severity": "LOW",
"success": true,
"title": "hostAliases is set"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV009",
"description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.",
"severity": "HIGH",
"success": true,
"title": "Access to host network"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV012",
"description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.",
"messages": [
"Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsNonRoot' to true"
],
"severity": "MEDIUM",
"success": false,
"title": "Runs as root user"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV022",
"description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.",
"severity": "MEDIUM",
"success": true,
"title": "Non-default capabilities added"
},
{
"category": "Kubernetes Security Check",
"checkID": "KSV027",
"description": "The default /proc masks are set up to reduce attack surface, and should be required.",
"severity": "MEDIUM",
"success": true,
"title": "Non-default /proc masks set"
},
Enhancing Security Workflows
The integration of Starboard into your Kubernetes environment enhances security workflows by providing actionable insights. Security teams can use the reports generated by Starboard to identify and mitigate risks, ensuring a robust security posture.
Conclusion
As organizations continue to embrace Kubernetes for container orchestration, securing these environments becomes paramount. The Starboard Operator, with its container image scanning and Kubernetes resource checks, emerges as a valuable tool in the Kubernetes security toolkit. By seamlessly integrating into existing workflows, Starboard empowers users to proactively address security concerns, fortifying their Kubernetes deployments against potential threats. In conclusion, the Starboard Operator is a powerful ally in the ongoing battle to secure Kubernetes clusters, offering a comprehensive set of tools to identify and remediate security issues. Consider integrating Starboard into your Kubernetes security strategy to elevate your containerized applications' defense against modern threats.
Top comments (0)