Kube-Beacon Project
Scan your kubernetes runtime !!
Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.
The audit tests are the full implementation of CIS Kubernetes Benchmark specification
NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)
Audit checks are performed on master and worker nodes and the output audit report include :
- root cause of the security issue
- proposed remediation for security issue
kubernetes cluster audit scan output:
- Installation
- Quick Start
- Kube-beacon as Docker
- Kube-beacon as pod in k8s
- User Plugin Usage
- Next steps
Installation
git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
- Note: kube-beacon require root user to be executed
Quick Start
Execute kube-eacon without any flags , execute all tests
./kube-beacon
Execute kube-beacon with flags , execute test on demand
Usage: kube-Beacon [--version] [--help] <command> [<args>]
Available commands are:
-r , --report : run audit tests and generate failure report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-n , --node: execute audit tests on specific node, example -n=master,-n=worker
-s , --spec: execute specific audit tests spec, example -s=gke, default=k8s
-v , --version: execute specific audit tests spec version, example -v=1.1.0,default=1.6.0
Execute tests and generate failure tests report
./kube-beacon -r
Kube-beacon as pod in k8s
-
Execute kube beacon as a pod in k8s cluster
-
Add cluster role binding with role=cluster-admin
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
cd jobs
- simple k8s cluster run following job
kubectl apply -f k8s.yaml
- gke cluster run the following job
kubectl apply -f gke.yaml
- Check k8s pod status
kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default kube-beacon-sc8g9 0/1 Completed 0 111s
kube-system event-exporter-gke-8489df9489-skcvv 2/2 Running 0 7m24s
kube-system fluentd-gke-7d5sl 2/2 Running 0 7m6s
kube-system fluentd-gke-f6q5d 2/2 Running 0 6m59s
- Check k8s pod audit output
kubectl logs kube-beacon-sc8g9
- cleanup (remove role and delete pod)
kubectl delete clusterrolebinding default-admin
kubectl delete -f k8s.yaml
User Plugin Usage
The Kube-Beacon expose hook for user plugins Example :
- K8sBenchAuditResultHook - this hook accepts audit benchmark results as found by audit report
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
Copy plugin to folder (.beacon folder is created on the 1st startup)
cp /<plugin folder>/bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so
Note: Plugin and binary must compile with the same linux env
Next steps
- Add support for Amazon EKS scanning