DEV Community

Shubham
Shubham

Posted on

K8s Plugins For Solid Security

#kubernetes #devops #sre #security

Kubernetes simplifies building and deploying apps via containerization, but securing your pods and containers is a different challenge.

Kubernetes provides basic IP-based security for each pod, but securing your clusters requires more—network policies, access policies for individual pods, RBAC, namespace access policies, and so on.

However, many open-source tools and plugins can help manage these issues.

Let's explore some of the most useful ones:

Image description

1. Kube bench (⭐: 6,977 +)
Kube-bench is a tool that checks Kubernetes clusters for compliance with security best practices, based on the CIS Kubernetes Benchmark. It helps identify vulnerabilities and misconfigs, providing detailed reports for remediation.

  • YAML-based test configuration allows easy updates as specs evolve.

  • kube-bench auto-selects tests for the node's Kubernetes version.

2. Stern (⭐: 3,265 +)
Stern allows you to tail multiple pods and containers in Kubernetes, with color-coded log results for faster debugging.

  • Filters pods with regex or /, no exact pod IDs needed.

  • Tails all pod containers by default, but you can limit with the container flag.

  • Auto-removes deleted pods, and adds new ones as created.

3. Kubescore (⭐: 2,750 +)
Kube-score is a tool that performs static code analysis of your Kubernetes object definitions, checking them against best practices to ensure proper configurations.

  • Evaluates resource definitions like Deployments, Services, and Ingresses for misconfigs.

  • Supports CRD validation, checks labels, resource limits, and other key configs.

  • Provides a score based on best practices and highlights issues.

4. Kubiscan (⭐: 1,313 +)
KubiScan is a tool for scanning Kubernetes clusters for risky permissions in the RBAC authorization model.

  • Identify risky Pods\Containers
  • Identify risky Roles\ClusterRoles
  • Identify risky RoleBindings\ClusterRoleBindings
  • Identify risky Subjects (Users, Groups and ServiceAccounts)
  • Dump tokens from pods (all or by namespace)
  • CVE scan

5. Rakkess (⭐: 1,300 +)
Rakkess is a kubectl plugin designed to show an access matrix for Kubernetes server resources, helping visualize and audit permissions.

  • Shows who can access Kubernetes resources and their actions.
  • Audits RBAC permissions for users, groups, and service accounts in a clear matrix view.
  • Supports CI/CD integration for continuous RBAC audits.

Remember, we are only as strong as the weakest link.

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

dhanushnehru profile image

Should you STOP using VPN for Security ?

Dhanush N -

reniciuspagotto profile image

The Importance of CI/CD in Modern Software Development

Renicius Pagotto -

tuxmea profile image

The Ruby side of Puppet - Part 1 - Custom Facts

Martin Alfke -

cicubeteam profile image

Beyond Docker - A DevOps Engineer's Guide to Container Alternatives

CiCube -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay