K8s Plugins For Solid Security

Kubernetes simplifies building and deploying apps via containerization, but securing your pods and containers is a different challenge.

Kubernetes provides basic IP-based security for each pod, but securing your clusters requires more—network policies, access policies for individual pods, RBAC, namespace access policies, and so on.

However, many open-source tools and plugins can help manage these issues.

Let's explore some of the most useful ones:

1. Kube bench (⭐: 6,977 +)
Kube-bench is a tool that checks Kubernetes clusters for compliance with security best practices, based on the CIS Kubernetes Benchmark. It helps identify vulnerabilities and misconfigs, providing detailed reports for remediation.

• YAML-based test configuration allows easy updates as specs evolve.

• kube-bench auto-selects tests for the node's Kubernetes version.

2. Stern (⭐: 3,265 +)
Stern allows you to tail multiple pods and containers in Kubernetes, with color-coded log results for faster debugging.

• Filters pods with regex or /, no exact pod IDs needed.

• Tails all pod containers by default, but you can limit with the container flag.

• Auto-removes deleted pods, and adds new ones as created.

3. Kubescore (⭐: 2,750 +)
Kube-score is a tool that performs static code analysis of your Kubernetes object definitions, checking them against best practices to ensure proper configurations.

• Evaluates resource definitions like Deployments, Services, and Ingresses for misconfigs.

• Supports CRD validation, checks labels, resource limits, and other key configs.

• Provides a score based on best practices and highlights issues.

4. Kubiscan (⭐: 1,313 +)
KubiScan is a tool for scanning Kubernetes clusters for risky permissions in the RBAC authorization model.

• Identify risky Pods\Containers
• Identify risky Roles\ClusterRoles
• Identify risky RoleBindings\ClusterRoleBindings
• Identify risky Subjects (Users, Groups and ServiceAccounts)
• Dump tokens from pods (all or by namespace)
• CVE scan

5. Rakkess (⭐: 1,300 +)
Rakkess is a kubectl plugin designed to show an access matrix for Kubernetes server resources, helping visualize and audit permissions.

• Shows who can access Kubernetes resources and their actions.
• Audits RBAC permissions for users, groups, and service accounts in a clear matrix view.
• Supports CI/CD integration for continuous RBAC audits.

Remember, we are only as strong as the weakest link.