Alcide sKanを試してみたメモ。
導入
バイナリをダウンロードしてパスの通ったディレクトリに置く。
実行
適当なマニフェストを作る。
k create deploy nginx --image=nginx --dry-run=client -o yaml > nginx.yaml
検査を実行する。
$ skan manifest --report-passed -f nginx.yaml [skan-this] Analyzing resources from '1' files/directories. [skan-this] Loaded '1' objects [skan-this] Ops Conformance | Workload Readiness & Liveness [skan-this] Ops Conformance | Workload Capacity Planning [skan-this] Workload Software Supply Chain | Image Registry Whitelist [skan-this] Ingress Controllers & Services | Ingress Security & Hardening Configuration [skan-this] Ingress Controllers & Services | Ingress Controller (nginx) [skan-this] Ingress Controllers & Services | Service Resource Checks [skan-this] Pod Security | Workload Hardening [skan-this] Secret Hunting | Find Secrets in ConfigMaps [skan-this] Secret Hunting | Find Secrets in Pod Environment Variables [skan-this] Admission Controllers | Validating Admission Controllers [skan-this] Admission Controllers | Mutating Admission Controllers [skan-this] Generating report (html) and saving as 'skan-result.html' [skan-this] Summary: [skan-this] Critical .... 0 [skan-this] High ........ 4 [skan-this] Medium ...... 6 [skan-this] Low ......... 0 [skan-this] Pass ........ 6
htmlの結果ファイルも作成されるので、結果をブラウザで見ることが可能。
open skan-result.html
skan manifest --report-passed -f nginx.yaml -o json --outputfile skan-result.json skan manifest --report-passed -f nginx.yaml -o yaml --outputfile skan-result.yaml
AdvisorReportHeader: CreationTimeStamp: "2021-05-12T13:46:44+09:00" Info: nginx.yaml MSTimeStamp: 1620794804433 ReportUID: 47155860-7de8-449f-b9d2-699fc0e2c754 ScannerVersion: . Reports: Ops Conformance: ResourceKind: Ops Conformance ResourceName: Ops Conformance ResourceNamespace: KubeAdvisor ResourceUID: dops.1 Results: - Action: Alert Category: Ops Conformance Check: CheckId: "1" CheckTitle: Liveness Probe Configured GroupId: "1" GroupTitle: Workload Readiness & Liveness ModuleId: dops.1 ModuleTitle: Ops Conformance CheckId: dops.1.1.1.1667744901853394230 Message: '''Deployment.apps nginx'', is missing at least one Liveness Probe - ' Platform: Kubernetes Recommendation: Deployment nginx - Configure liveness probe for your pod containers to ensure Pod liveness is managed and monitored by Kubernetes References: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: dops.1.1.1.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - Action: Alert Category: Ops Conformance Check: CheckId: "2" CheckTitle: Readiness Probe Configured GroupId: "1" GroupTitle: Workload Readiness & Liveness ModuleId: dops.1 ModuleTitle: Ops Conformance CheckId: dops.1.1.2.1667744901853394230 Message: '''Deployment.apps nginx'', is missing at least one Readiness Probe - ' Platform: Kubernetes Recommendation: Deployment nginx - Configure readiness probe for your pod containers to ensure Pod enter a ready state at the right time and stage References: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: dops.1.1.2.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - Action: Alert Category: Ops Conformance Check: CheckId: "1" CheckTitle: CPU Limit & Request GroupId: "2" GroupTitle: Workload Capacity Planning ModuleId: dops.1 ModuleTitle: Ops Conformance CheckId: dops.1.2.1.1667744901853394230 Message: '''Deployment.apps nginx'', is missing a CPU request or limits definitions' Platform: Kubernetes Recommendation: Deployment nginx - Configure CPU limit or CPU request to help Kubernetes scheduler have better resource centric scheduling decisions References: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: dops.1.2.1.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - Action: Alert Category: Ops Conformance Check: CheckId: "2" CheckTitle: Memory Limit & Request GroupId: "2" GroupTitle: Workload Capacity Planning ModuleId: dops.1 ModuleTitle: Ops Conformance CheckId: dops.1.2.2.1667744901853394230 Message: '''Deployment.apps nginx'', is missing Memory request or limits definitions' Platform: Kubernetes Recommendation: Deployment nginx - Configure memory limit or memory request to help Kubernetes scheduler have better resource centric scheduling decisions References: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: dops.1.2.2.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ Pod Security: ResourceKind: Workload Hardening ResourceName: Pod Security ResourceNamespace: KubeAdvisor ResourceUID: psec.1 Results: - Action: Alert Category: Workload Hardening Check: CheckId: "1" CheckTitle: Host Namespace Isolation GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.1.1667744901853394230 Message: '''Deployment.apps nginx'', Modifying the default Pod namespace isolation allows the processes in a pod to run as if they were running natively on the host.' Platform: Pod Recommendation: Deployment nginx - Set the following Pod attributes 'hostNetwork', 'hostIPC', 'hostPID' to false. References: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.1.1667744901853394230@1667744901853394230 Severity: Pass Url: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces - Action: Alert Category: Workload Hardening Check: CheckId: "3" CheckTitle: Privileged Containers GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.3.1667744901853394230 Message: "The container(s) ''\n\t\t\t\t\t\t\t \n has 'privileged' set to true in the SecurityContext." Platform: Pod Recommendation: Deployment nginx - Set the 'Privileged' attribute in the Pod's container configuration to 'false' References: - https://kubernetes.io/docs/concepts/policy/security-context/ - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.3.1667744901853394230@1667744901853394230 Severity: Pass Url: https://kubernetes.io/docs/concepts/policy/security-context/,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "4" CheckTitle: High risk host file system mounts GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.4.1667744901853394230 Message: '''Deployment.apps nginx'', mounts host directories that may impose higher risk level to the worker node - ''''' Platform: Pod Recommendation: Deployment nginx - Adjust host volume mounts to comply with the blacklist, add an exception for this resource or use PodSecurityPolicy to deny admission for such workloads References: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.4.1667744901853394230@1667744901853394230 Severity: Pass Url: https://kubernetes.io/docs/concepts/policy/pod-security-policy/,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "5" CheckTitle: Non-Root Containers GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.5.1667744901853394230 Message: "Force Kubernetes to run containers as a non-root user to ensure least privilege - see container(s): 'nginx'\n\t\t\t\t\t\t\t \n \ " Platform: Pod Recommendation: Deployment nginx - The attribute 'runAsNonRoot' indicates whether the Kubernetes node agent will validate that the container images run as non-root. Container level security context settings are applied to the specific container and override settings made at the pod level where there is overlap References: - https://kubernetes.io/docs/concepts/policy/security-context/ - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.5.1667744901853394230@1667744901853394230 Severity: High Url: https://kubernetes.io/docs/concepts/policy/security-context/,https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "6" CheckTitle: Immutable Containers GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.6.1667744901853394230 Message: "An immutable root filesystem can prevent malicious binaries being added or overwrite existing binaries - container(s): 'nginx'\n\t\t\t\t\t\t\t \ \n " Platform: Pod Recommendation: Deployment nginx - An immutable root filesystem prevents applications from writing to their local storage. In an exploit or intrusion event the attacker will not be able to tamper with the local filesystem or write foreign executables to disk. Set 'readOnlyRootFilesystem' to 'true' in your container securityContext References: - https://kubernetes.io/docs/concepts/storage/volumes/#emptydir - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.6.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "7" CheckTitle: Run Container As User GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.7.1667744901853394230 Message: "Set the user id to run the container process. This is the user id of the first process in the container - container(s): 'nginx'\n\t\t\t\t\t\t\t \ \n " Platform: Pod Recommendation: Deployment nginx - Set the user id > 10000 and run the container with user id that differ from any host user id. This setting can be configured using Pod SecurityContext for all containers and initContainers References: - https://kubernetes.io/docs/concepts/policy/security-context/ - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.7.1667744901853394230@1667744901853394230 Severity: Medium Url: https://kubernetes.io/docs/concepts/policy/security-context/,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "9" CheckTitle: Service Account Automount GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.9.1667744901853394230 Message: '''Deployment.apps nginx'' - automountServiceAccountToken is not set to ''false'' in your Pod Spec. Consider reducing Kubernetes API Server access surface by disabling automount of service account. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace' Platform: Pod Recommendation: Deployment nginx - Set automountServiceAccountToken is to 'false' in your Pod Spec. Following on the least privileges principle - if your Pod require no access to Kubernetes API Server, avoid the default behavior, by disabling the automatic provisioning of service access token. References: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.9.1667744901853394230@1667744901853394230 Severity: High Url: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/,https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "10" CheckTitle: Container Capabilities GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.10.1667744901853394230 Message: '''Deployment.apps nginx'' - ''In container(s) ''nginx'' capabilities that should be dropped ''audit_write,chown,dac_override,fowner,fsetid,kill,mknod,net_bind_service,net_raw,net_broadcast,setfcap,setgid,setuid,setpcap,sys_chroot,sys_module,sys_boot,sys_time,sys_resource,ipc_lock,ipc_owner,sys_ptrace,block_suspend'' or ''ALL'' and capabilities that one should avoid adding '''' ''' Platform: Pod Recommendation: Deployment nginx - Review your resource security configuration, and specifically the securityContext of the various containers defined in it. If this is the intended behavior you can add this resource to check exception list References: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities - https://github.com/alcideio/advisor/tree/master/examples Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.10.1667744901853394230@1667744901853394230 Severity: High Url: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/,https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities,https://github.com/alcideio/advisor/tree/master/examples - Action: Alert Category: Workload Hardening Check: CheckId: "11" CheckTitle: Do Not Run Pods on Master Nodes GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.11.1667744901853394230 Message: '''Deployment.apps nginx'', The Kubernetes master nodes are the control nodes of the entire cluster. Therefore, only certain items should be permitted to run on these nodes. To effectively limit what can run on these nodes, taints are placed on the nodes.If you encounter the toleration below on a Pod specification in one of your deployment resources, and your cluster is self-managed, it should be explicitly granted' Platform: Pod Recommendation: Deployment nginx - If you encounter the toleration 'node-role.kubernetes.io/master:NoSchedule' on a Pod specification in one of your deployment resources, and your cluster is self-managed, it should be explicitly granted by adding the resource to the exception list References: - https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.11.1667744901853394230@1667744901853394230 Severity: Pass Url: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - Action: Alert Category: Workload Hardening Check: CheckId: "12" CheckTitle: Container ProcMount Configuration GroupId: "1" GroupTitle: Workload Hardening ModuleId: psec.1 ModuleTitle: Pod Security CheckId: psec.1.1.12.1667744901853394230 Message: '''Deployment.apps nginx'' - procMount is set to Unmasked. Consider changing this to DefaultProcMount which uses the container runtime defaults for readonly and masked paths for /proc.' Platform: Pod Recommendation: Deployment nginx - Remove the Unmasked procMount configuration in the PodSecurityContext or the SecurityContext of any of the containers. References: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: psec.1.1.12.1667744901853394230@1667744901853394230 Severity: Pass Url: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ Secret Hunting: ResourceKind: Secret ResourceName: Secret Hunting ResourceNamespace: KubeAdvisor ResourceUID: scrt.1 Results: - Action: Alert Category: Secret Check: CheckId: "1" CheckTitle: Scan PodSpec Environment Variable GroupId: "2" GroupTitle: Find Secrets in Pod Environment Variables ModuleId: scrt.1 ModuleTitle: Secret Hunting CheckId: scrt.1.2.1.1667744901853394230 Message: 'This check hunts for secrets, api keys and passwords that may have been misplaced in environment variables. Check for - ' Platform: Secret Recommendation: Deployment nginx - If check fails, you should consider using Secret resource instead of storing secrets in environment variables Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: scrt.1.2.1.1667744901853394230@1667744901853394230 Severity: Pass Workload Software Supply Chain: ResourceKind: Cluster ResourceName: Workload Software Supply Chain ResourceNamespace: KubeAdvisor ResourceUID: sply.1 Results: - Action: Alert Category: Cluster Check: CheckId: "1" CheckTitle: Container Image Registry Supply Chain Hygiene GroupId: "1" GroupTitle: Image Registry Whitelist ModuleId: sply.1 ModuleTitle: Workload Software Supply Chain CheckId: sply.1.1.1.1667744901853394230 Message: Verify that the container image(s) used by 'Deployment.apps nginx' provisioned from whitelisted registries - 'nginx in container nginx' Platform: Kubernetes Recommendation: Deployment nginx - Add the image registries to the scan profile or push the images to one of the whitelisted registry References: - https://kubernetes.io/docs/concepts/containers/images Resource: Group: apps Kind: Deployment Labels: app: nginx Name: nginx Version: v1 ResultUID: sply.1.1.1.1667744901853394230@1667744901853394230 Severity: High Url: https://kubernetes.io/docs/concepts/containers/images