KubeSecO
Application Security Workflow Automation using Docker and Kubernetes
This project contains proof of concept implementation of a solution consisting of scripts, Dockerfile
, Kubernetes deployment specs etc. that together deploys a system that can
- Orchestrate 3rd party security tools
- Transform tool output (JSON) and generate event triggers
- API endpoints to submit input and collect aggregated result
How to Use
- Try out the solution by following this document
- Read the Internals doc to get an idea of data schema etc.
- Read the Development doc to get an idea on local setup for development.
- Refer to Tasks
Requirements
- Kubernetes cluster
- kubectl (configured to use cluster)
- helm
Get Started
Clone This Repository
git clone https://github.com/appsecco/kubeseco
cd kubeseco
Deploy Apps and Infra
Ensure kubectl
is configured to use the Kubernetes cluster where you want to deploy the setup. Execute the following script to setup the cluster.
./setup.sh
Refer to
Under The Hood
section in this document for details on what the script does.
To setup a Kubernetes cluster in Google Cloud and configure
kubectl
, refer tocluster_create_gcp.sh
script in this repository.
GCP_PROJECT=<Your-Project-Name> ./cluster_create_gcp.sh
Expose API Service
kubectl port-forward service/api-service 3000
Submit Scan
curl -H "Content-Type: application/json" \
-d '{"asset_type":"domain", "asset_value":"example.com"}' \
http://localhost:3000/scans
Get Result
curl http://localhost:3000/scans/:scan_id
:scan_id is obtained after successful scan submission
Under The Hood
What is being deployed?
- NATS
- Minio
- API Service
- Feedback Processor
- Security Tools (Containers)
How is the scan executed?
- API service exposes HTTP endpoint to submit scan
- On submission, it pushes input to NATS
- Security Tools listening on corresponding NATS topic is triggered
- Output is stored in Minio
- Output JSON is processed by Feedback Processor to generate new input (feedback loop)
Where are the results stored?
Minio
Extend
How to integrate a tool?
- Identify security tool that produce JSON output
- Write
Dockerfile
to package security tool as a container - Include
Tool Adapter
as entrypoint program for the container - Push docker image to your preferred registry
- Write Kubernetes deployment spec (YAML)
- Deploy to Kubernetes
- (Optional) Write
rule
to process tool output JSON and generate feedback event - (Optional) Update
feedback-processor
in cluster
What are the current limitations and constraints?
- No state management.
- There is no way to know when all activities of a scan is finished
- Bulk input
- The system supports sending single input events to each security tools. For example 1 domain/url/host instead of an array of inputs
- Topic persistence
- All inputs are lost if the Pod (Security Tool) processing the input is evicted/killed
- No de-duplication
- Different security tools may produce overlapping result. No common data schema or parsing of JSON output produced by individual security tools.