sysdiglabs / Kube Psp Advisor
Licence: apache-2.0
Help building an adaptive and fine-grained pod security policy
Stars: ✭ 280
Programming Languages
go
31211 projects - #10 most used programming language
Labels
Projects that are alternatives of or similar to Kube Psp Advisor
Githubmonitor
根据关键字与 hosts 生成的关键词,利用 github 提供的 api,监控 git 泄漏。
Stars: ✭ 248 (-11.43%)
Mutual labels: security-tools
Electriceye
Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability. All results will be sent to Security Hub for further aggregation and analysis.
Stars: ✭ 255 (-8.93%)
Mutual labels: security-tools
Isthislegit
Dashboard to collect, analyze, and respond to reported phishing emails.
Stars: ✭ 251 (-10.36%)
Mutual labels: security-tools
Soteria
Plugin to block compilation when unapproved dependencies are used or code styling does not comply.
Stars: ✭ 36 (-87.14%)
Mutual labels: security-tools
Certainty
Automated cacert.pem management for PHP projects
Stars: ✭ 255 (-8.93%)
Mutual labels: security-tools
Pcapviz
Visualize network topologies and collect graph statistics based on pcap files
Stars: ✭ 247 (-11.79%)
Mutual labels: security-tools
Certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Stars: ✭ 3,693 (+1218.93%)
Mutual labels: security-tools
SpyGen
Trojan 🐍 (keylogger, take screenshots, open your webcam) 🔓
Stars: ✭ 115 (-58.93%)
Mutual labels: security-tools
Mquery
YARA malware query accelerator (web frontend)
Stars: ✭ 264 (-5.71%)
Mutual labels: security-tools
box-appServer
The Staff-Manager App Server for Enterprise Token Safe BOX
Stars: ✭ 22 (-92.14%)
Mutual labels: security-tools
MicrosoftWontFixList
A list of vulnerabilities or design flaws that Microsoft does not intend to fix. Since the number is growing, I decided to make a list. This list covers only vulnerabilities that came up in July 2021 (and SpoolSample ;-))
Stars: ✭ 854 (+205%)
Mutual labels: security-tools
Android Disassembler
Disassemble ANY files including .so (NDK, JNI), Windows PE(EXE, DLL, SYS, etc), linux binaries, libraries, and any other files such as pictures, audios, etc(for fun)files on Android. Capstone-based disassembler application on android. 안드로이드 NDK 공유 라이브러리, Windows 바이너리, etc,... 리버싱 앱
Stars: ✭ 250 (-10.71%)
Mutual labels: security-tools
Recon My Way
This repository created for personal use and added tools from my latest blog post.
Stars: ✭ 271 (-3.21%)
Mutual labels: security-tools
Gg Shield Action
GitGuardian Shield GitHub Action - Find exposed credentials in your commits
Stars: ✭ 248 (-11.43%)
Mutual labels: security-tools
Krane
Kubernetes RBAC static Analysis & visualisation tool
Stars: ✭ 254 (-9.29%)
Mutual labels: security-tools
Dgfraud
A Deep Graph-based Toolbox for Fraud Detection
Stars: ✭ 281 (+0.36%)
Mutual labels: security-tools
Recon Pipeline
An automated target reconnaissance pipeline.
Stars: ✭ 278 (-0.71%)
Mutual labels: security-tools
Salt Scanner
Linux vulnerability scanner based on Salt Open and Vulners audit API, with Slack notifications and JIRA integration
Stars: ✭ 261 (-6.79%)
Mutual labels: security-tools
Kube PodSecurityPolicy Advisor
kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
It has 2 subcommands, kube-psp-advisor inspect and kube-psp-advisor convert. inspect connects to a K8s API server, scans the security context of workloads in a given namespace or the entire cluster, and generates a PSP based on the security context. convert works without connecting to an API Server, reading a single .yaml file containing a object with a pod spec and generating a PSP based on the file.
Installation as a Krew Plugin
Follow the instructions to install krew. Then run the following command:
kubectl krew install advise-psp
The plugin will be available as kubectl advise-psp.
Build and Run locally
make build-
./kube-psp-advisor inspectto generate Pod Security Policy based on running cluster configuration- 2.1
./kube-psp-advisor inspect --reportto print the details reports (why this PSP is recommended for the cluster) - 2.2
./kube-psp-advisor inspect --grantto print PSPs, roles and rolebindings for service accounts (refer to psp-grant.yaml) - 2.3
./kube-psp-advisor inspect --namespace=<ns>to print report or PSP(s) within a given namespace (default to all)
- 2.1
-
./kube-psp-advisor convert --podFile <path> --pspFile <path>to generate a PSP from a single .yaml file.
Build and Run as Container
docker build -t <Image Name> -f container/Dockerfile .-
docker run -v ~/.kube:/root/.kube -v ~/.aws:/root/.aws <Image Name>(the.awsfolder mount is optional and totally depends on your clould provider)
Use Cases
- Help verify the deployment, daemonset settings in cluster and plan to reduce unnecessary privileges/resources
- Apply Pod Security Policy to the target cluster
- flag
--namespace=<namespace>is introduced to debug and narrow down the security context per namespace
Attributes Aggregated for Pod Security Policy
- allowPrivilegeEscalation
- allowedCapabilities
- allowedHostPaths
- readOnly
- hostIPC
- hostNetwork
- hostPID
- privileged
- readOnlyRootFilesystem
- runAsUser
- runAsGroup
- Volume
- hostPorts
- allowedUnsafeSysctls
Limitations
Some attributes(e.g. capabilities) required gathering runtime information in order to provide the followings:
- Least privilege (capabilities captured from runtime)
High-level todo list
- [x] Basic functionalities;
- [ ] Create PSP's for common charts
- [x] Kubectl plugin
Sample Pod Security Policy
Command: ./kube-psp-advisor inspect --namespace=psp-test
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
creationTimestamp: null
name: pod-security-policy-20181130114734
spec:
allowedCapabilities:
- SYS_ADMIN
- NET_ADMIN
allowedHostPaths:
- pathPrefix: /bin
- pathPrefix: /tmp
- pathPrefix: /usr/sbin
- pathPrefix: /usr/bin
fsGroup:
rule: RunAsAny
hostIPC: false
hostNetwork: false
hostPID: false
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- hostPath
- configMap
- secret
Sample Report
Command: ./kube-psp-advisor inspect --namespace=psp-test --report | jq .podSecuritySpecs
{
"hostIPC": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-job",
"kind": "Job"
},
"namespace": "psp-test",
"hostIPC": true,
"volumeTypes": [
"hostPath"
],
"mountedHostPath": [
"/usr/bin"
]
}
],
"hostNetwork": [
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostNetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
},
{
"metadata": {
"name": "busy-pod",
"kind": "Pod"
},
"namespace": "psp-test",
"hostNetwork": true,
"volumeTypes": [
"hostPath",
"secret"
],
"mountedHostPath": [
"/usr/bin"
]
}
],
"hostPID": [
{
"metadata": {
"name": "busy-deploy",
"kind": "Deployment"
},
"namespace": "psp-test",
"hostPID": true,
"volumeTypes": [
"hostPath"
],
"mountedHostPath": [
"/tmp"
]
},
{
"metadata": {
"name": "busy-rs",
"kind": "ReplicaSet"
},
"namespace": "psp-test",
"hostPID": true,
"hostMetwork": true,
"hostIPC": true,
"volumeTypes": [
"configMap"
]
}
]
}
Commercial
Generating PSPs based on runtime activity, simulating PSPs and managing different PSPs across Kubernetes namespaces can simplify the life of every Kubernetes operator. Check out how Sysdig Secure can help - https://sysdig.com/blog/psp-in-production/
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].