kubesecを試したメモ。kubesecというとSecretのマニフェストを暗号化するshyiko/kubesecのほうが有名な気もするが、controlplaneio/kubesecのほう。
導入
導入は以下の方法で可能。
- コンテナイメージ
- バイナリ
- アドミッションコントローラー
- kubecltプラグイン
また、SaaSとしても利用可能。
ここでは、バイナリをバイナリをダウンロードしてきてパスの通ったディレクトリに配置した。
実行
適当なマニフェストを作成する。
k create deploy nginx --image=nginx --dry-run=client -o yaml > nginx.yaml
検査する。検査項目はドキュメントに記載がある。
$ kubesec scan nginx.yaml [ { "object": "Deployment/nginx.default", "valid": true, "fileName": "nginx.yaml", "message": "Passed with a score of 0 points", "score": 0, "scoring": { "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "ServiceAccountName", "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 }, { "id": "ReadOnlyRootFilesystem", "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high-UID user to avoid conflicts with the host's user table", "points": 1 } ] } } ]
何を検査するかを指定する機能はなさそう。