kube-bench report
- Bring up the kubeadm cluster
- install krew to add plugins to kubectl Refer Here
(
set -x; cd "$(mktemp -d)" &&
OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
KREW="krew-${OS}_${ARCH}" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
tar zxvf "${KREW}.tar.gz" &&
./"${KREW}" install krew
)
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
- Now install tree plugin for kubectl
kubectl krew install tree
- Refer Here for plugin index
- try this plugin Refer Here
- Install trivy operator Refer Here
- Now deploy some sample application
kubectl create deployment nginx --image nginx:1.16
- Wait for the reports to be generated
- Install trivy operator will create custom resources which are highlighted
kubectl get configauditreports.aquasecurity.github.io replicaset-nginx-85bfcd86d5 -o wide
# to get the report
kubectl get configauditreports.aquasecurity.github.io replicaset-nginx-85bfcd86d5 -o json
* Refer Here for the vulnerabilities
- Find me resolutions to atleast 2 critical vulnerabilities
Attacker Gains Access to Pod
- Default behavior of k8s allows us to access Pods across namespaces with in the cluster
- The only way for us to stop this is by using a Network Policy
-
Next Steps
- GateKeeper
- App Armour
- Certificates
