본문 바로가기
Kubernetes

kubesec install 및 사용법

by beann 2024. 3. 19.
반응형

kubesec이란?

kubesec은 kubernetes manifest 파일과 kubernetes내 오브젝트들의 보안 이슈사항들을 점검 및 분석하고 보완까지 도와주는 도구이다.

 

 

설치하기

## 설치경로: https://github.com/controlplaneio/kubesec/releases/tag/v2.14.0

 

root@k8s-m:/build# wget https://github.com/controlplaneio/kubesec/releases/download/v2.14.0/kubesec_linux_amd64.tar.gz


root@k8s-m:/build# tar -xvf kubesec_linux_amd64.tar.gz 
CHANGELOG.md
LICENSE
README.md
kubesec


root@k8s-m:/build# ls
CHANGELOG.md  Dockerfile  Dockerfile.backup  LICENSE  README.md  kubesec  kubesec_linux_amd64.tar.gz  main.go


root@k8s-m:/build# sudo mv kubesec /usr/bin/

root@k8s-m:/build# k run test-kubesec-nginx --image=nginx
pod/test-kubesec-nginx created


root@k8s-m:/build# k get pod test-kubesec-nginx -o yaml > test-kubesec-nginx.yaml


root@k8s-m:/build# kubesec scan test-kubesec-nginx.yaml 
[
  {
    "object": "Pod/test-kubesec-nginx.default",
    "valid": true,
    "fileName": "test-kubesec-nginx.yaml",
    "message": "Passed with a score of 3 points",
    "score": 3,
    "scoring": {
      "passed": [
        {
          "id": "ServiceAccountName",
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
          "points": 3
        }
      ],
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
          "points": 3
        },
        {
          "id": "SeccompAny",
          "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
          "reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
          "points": 1
        },
        {
          "id": "AutomountServiceAccountToken",
          "selector": ".spec .automountServiceAccountToken == false",
          "reason": "Disabling the automounting of Service Account Token reduces the attack surface of the API server",
          "points": 1
        },
        {
          "id": "RunAsGroup",
          "selector": ".spec, .spec.containers[] | .securityContext .runAsGroup -gt 10000",
          "reason": "Run as a high-UID group to avoid conflicts with the host's groups",
          "points": 1
        },
        {
          "id": "RunAsNonRoot",
          "selector": ".spec, .spec.containers[] | .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user to ensure least privilege",
          "points": 1
        },
        {
          "id": "RunAsUser",
          "selector": ".spec, .spec.containers[] | .securityContext .runAsUser -gt 10000",
          "reason": "Run as a high-UID user to avoid conflicts with the host's users",
          "points": 1
        },
        {
          "id": "LimitsCPU",
          "selector": "containers[] .resources .limits .cpu",
          "reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "LimitsMemory",
          "selector": "containers[] .resources .limits .memory",
          "reason": "Enforcing memory limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsCPU",
          "selector": "containers[] .resources .requests .cpu",
          "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "RequestsMemory",
          "selector": "containers[] .resources .requests .memory",
          "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "CapDropAny",
          "selector": "containers[] .securityContext .capabilities .drop",
          "reason": "Reducing kernel capabilities available to a container limits its attack surface",
          "points": 1
        },
        {
          "id": "CapDropAll",
          "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
          "reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
          "points": 1
        },
        {
          "id": "ReadOnlyRootFilesystem",
          "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
          "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
          "points": 1
        }
      ]
    }
  }
]

위처럼 보안적으로 이슈가 있는 부분들을 쭉 나열해주는데, passed항목과, advise항목이 구분 되어있는 것을 볼 수 있다.

advise로 구분된 항목들은 참고하여 보완하면 보다 강화된 보안 쳬계를 가져갈 수 있다.

 

 

참고: https://github.com/controlplaneio/kubesec

반응형

'Kubernetes' 카테고리의 다른 글

gVisor 및 runsc를 활용한 Host와의 컨테이너 커널 격리  (0) 2024.03.21
kube-bench 사용법 및 Install  (0) 2024.03.20
Kubernetes Network Study #2(Service to Pod)  (0) 2023.11.23
Kubernetes Network Study #1 (Pod to Pod, CNI. Calico)  (0) 2023.11.22
[NKS]Velero를 활용하여 특정 네임스페이스를 통으로 백업하고 복원하기  (2) 2023.07.31

관련글

티스토리툴바