Kubernetes Security - CloudCommandos/JohnChan GitHub Wiki

Tools for K8s security

1. Kubernetes security

   1. Kube-Bench: Opensource tool to check on your Kubernetes configuration settings against CIS benchmark
   2. Kube-Hunter: Opensource tool for penetration assessment on Kubernetes against CIS benchmark

2. Container scanning

   1. Trivy: Opensource tool for container image scanning
   2. Microscanner: Commercially free tool for container image scanning (with limited functions as compared to what we have in our product)

Security measures based on Nessus scan results

Recommended TLS Cipher Suites

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Apply to kube-apiserver.yaml and kube-controller-manager.yaml

- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- --tls-min-version=VersionTLS12

Apply to kubelet /var/lib/kubelet/config.yaml

tlsMinVersion: VersionTLS12
tlsCipherSuites: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256']

Apply to etcd /etc/kubernetes/manifest/etcd.yaml

- --cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Use this command to check the cipher suites supported by the service listening at the specified port

# kubelet
docker run --network=host --rm -it nablac0d3/sslyze --regular 127.0.0.1:10250
# api-server
docker run --network=host --rm -it nablac0d3/sslyze --regular 127.0.0.1:6443

Use this command to check which ports your services are listening on

netstat -nlp