DEV Community

AMIT CHATURVEDI
AMIT CHATURVEDI

Posted on

Exploring Kubernetes Security with Starboard Operator

Image description

Introduction:
Kubernetes, the container orchestration platform, has revolutionized the way we deploy and manage containerized applications. However, with great power comes great responsibility, and securing Kubernetes environments is paramount. In this blog post, we'll delve into the Starboard Operator, a powerful tool designed to enhance security within Kubernetes clusters.

Image description

Understanding Kubernetes Security Challenges
Kubernetes security involves multiple layers, including container images, runtime security, network policies, and access controls. Ensuring the security of each of these layers is crucial to safeguarding your applications and data.

Introduction to Starboard
_Starboard is an open-source Kubernetes-native security toolkit developed by Aqua Security. It provides a set of tools and custom resources to perform security and compliance checks within Kubernetes clusters. Starboard extends Kubernetes functionality, allowing users to scan container images and Kubernetes resources for vulnerabilities, misconfigurations, and other security issues.
_

Key Features of Starboard Operator
1. Container Image Scanning
Starboard enables users to scan container images for vulnerabilities using popular security databases like CVE. By integrating with image scanners, Starboard ensures that only secure and trusted container images are deployed within the cluster.

root@master:~/vault# kubectl starboard get vulnerabilities

Enter fullscreen mode Exit fullscreen mode

2. Kubernetes Resource Scanning
In addition to image scanning, Starboard performs security checks on Kubernetes resources. This includes ConfigAudit checks to ensure that configurations align with security best practices.

root@master:~/vault# kubectl starboard get configauditreports

Enter fullscreen mode Exit fullscreen mode

3. Custom Resource Definitions
Starboard introduces custom resources such as VulnerabilityReport and ConfigAuditReport. These resources provide detailed information about vulnerabilities and configuration issues, making it easier for users to understand and address security concerns.

root@master:~/vault# kubectl get vulnerabilityreports
root@master:~/vault# kubectl get configauditreports

Enter fullscreen mode Exit fullscreen mode

Installing Starboard Operator
Installing Starboard Operator is a straightforward process. Users can deploy it using standard Kubernetes manifests or Helm charts. The official Aqua Security documentation provides clear instructions for the installation process.

root@master:~/vault# helm install starboard-operator aqua/starboard-operator   --namespace starboard-system   --create-namespace   --set="trivy.ignoreUnfixed=true"   --version 0.10.12
Enter fullscreen mode Exit fullscreen mode
root@master:~/vault# kubectl get pods -n starboard-system
NAME                                 READY   STATUS    RESTARTS   AGE
starboard-operator-5dbd48d67-6zh8v   1/1     Running   0          46m
Enter fullscreen mode Exit fullscreen mode

Inspect created VulnerabilityReports by

root@master:~/vault# kubectl get vulnerabilityreports --all-namespaces -o wide
NAMESPACE        NAME                                                          REPOSITORY                TAG        SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
argocd           replicaset-argocd-repo-server-6f5d866457-argocd-repo-server   argoproj/argocd           v2.9.2     Trivy     45m   0          0      23       12    0
calico-system    replicaset-846bc59bdd                                         calico/kube-controllers   v3.26.3    Trivy     47m   0          0      0        0     0
default          replicaset-deathstar-8464cdd4d9-deathstar                     cilium/starwars           latest     Trivy     43m   0          0      0        0     0
metallb-system   replicaset-controller-586bfc6b59-controller                   metallb/controller        v0.13.12   Trivy     39m   0          2      8        0     0

Enter fullscreen mode Exit fullscreen mode

Inspect created ConfigAuditReports by

root@master:~/vault# kubectl get configauditreports -n default -o wide
NAME                              SCANNER     AGE   CRITICAL   HIGH   MEDIUM   LOW
replicaset-deathstar-8464cdd4d9   Starboard   72m   0          0      6        8
replicaset-nginx-54f8f9f495       Starboard   43m   0          0      6        7

Enter fullscreen mode Exit fullscreen mode

Inspect created CISKubeBenchReports by

root@master:~/vault# kubectl get ciskubebenchreports -o wide
NAME                        SCANNER      AGE   FAIL   WARN   INFO   PASS
master.homecluster.store    kube-bench   72m   10     47     0      68
worker1.homecluster.store   kube-bench   71m   1      33     0      19
worker2.homecluster.store   kube-bench   55m   1      33     0      19
Enter fullscreen mode Exit fullscreen mode

Deploying nginx in default namespace

root@master:~/vault# kubectl create deployment nginx --image nginx:1.16 -n default
root@master:~/vault# kubectl get pods -n default | grep nginx
nginx-54f8f9f495-n8s6m       1/1     Running   0          47m

Enter fullscreen mode Exit fullscreen mode

Verify the vulnerability in nginx deployment

root@master:~/vault# kubectl get configauditreports --all-namespaces -o wide | grep default | grep nginx
default                      replicaset-nginx-54f8f9f495                                     Starboard   48m   0          0      6        7

root@master:~/vault# kubectl get configauditreports replicaset-nginx-54f8f9f495 -n default -o json
 "report": {
        "checks": [
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV020",
                "description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.",
                "messages": [
                    "Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsUser' \u003e 10000"
                ],
                "severity": "MEDIUM",
                "success": false,
                "title": "Runs with low user ID"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV037",
                "description": "ensure that User pods are not placed in kube-system namespace",
                "severity": "MEDIUM",
                "success": true,
                "title": "User Pods should not be placed in kube-system namespace"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV024",
                "description": "HostPorts should be disallowed, or at minimum restricted to a known list.",
                "severity": "HIGH",
                "success": true,
                "title": "Access to host ports"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV003",
                "description": "The container should drop all default capabilities and add only those that are needed for its execution.",
                "messages": [
                    "Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should add 'ALL' to 'securityContext.capabilities.drop'"
                ],
                "severity": "LOW",
                "success": false,
                "title": "Default capabilities not dropped"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV013",
                "description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.",
                "severity": "LOW",
                "success": true,
                "title": "Image tag ':latest' used"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV021",
                "description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.",
                "messages": [
                    "Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsGroup' \u003e 10000"
                ],
                "severity": "MEDIUM",
                "success": false,
                "title": "Runs with low group ID"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV001",
                "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.",
                "messages": [
                    "Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.allowPrivilegeEscalation' to false"
                ],
                "severity": "MEDIUM",
                "success": false,
                "title": "Process can elevate its own privileges"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV023",
                "description": "HostPath volumes must be forbidden.",
                "severity": "MEDIUM",
                "success": true,
                "title": "hostPath volumes mounted"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV025",
                "description": "Setting a custom SELinux user or role option should be forbidden.",
                "severity": "MEDIUM",
                "success": true,
                "title": "SELinux custom options set"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV029",
                "description": "Containers should be forbidden from running with a root primary or supplementary GID.",
                "severity": "LOW",
                "success": true,
                "title": "A root primary or supplementary GID set"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV002",
                "description": "A program inside the container can bypass AppArmor protection policies.",
                "severity": "MEDIUM",
                "success": true,
                "title": "Default AppArmor profile not set"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV007",
                "description": "Managing /etc/hosts aliases can prevent the container engine from modifying the file after a pod’s containers have already been started.",
                "severity": "LOW",
                "success": true,
                "title": "hostAliases is set"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV009",
                "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.",
                "severity": "HIGH",
                "success": true,
                "title": "Access to host network"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV012",
                "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.",
                "messages": [
                    "Container 'nginx' of ReplicaSet 'nginx-54f8f9f495' should set 'securityContext.runAsNonRoot' to true"
                ],
                "severity": "MEDIUM",
                "success": false,
                "title": "Runs as root user"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV022",
                "description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.",
                "severity": "MEDIUM",
                "success": true,
                "title": "Non-default capabilities added"
            },
            {
                "category": "Kubernetes Security Check",
                "checkID": "KSV027",
                "description": "The default /proc masks are set up to reduce attack surface, and should be required.",
                "severity": "MEDIUM",
                "success": true,
                "title": "Non-default /proc masks set"
            },

Enter fullscreen mode Exit fullscreen mode

Enhancing Security Workflows
The integration of Starboard into your Kubernetes environment enhances security workflows by providing actionable insights. Security teams can use the reports generated by Starboard to identify and mitigate risks, ensuring a robust security posture.

Conclusion
As organizations continue to embrace Kubernetes for container orchestration, securing these environments becomes paramount. The Starboard Operator, with its container image scanning and Kubernetes resource checks, emerges as a valuable tool in the Kubernetes security toolkit. By seamlessly integrating into existing workflows, Starboard empowers users to proactively address security concerns, fortifying their Kubernetes deployments against potential threats. In conclusion, the Starboard Operator is a powerful ally in the ongoing battle to secure Kubernetes clusters, offering a comprehensive set of tools to identify and remediate security issues. Consider integrating Starboard into your Kubernetes security strategy to elevate your containerized applications' defense against modern threats.

Top comments (0)