Image Dissemination and Secrets Management

Grafeas

Website: grafeas.io

License: free (Apache)

Grafeas is an open source API for auditing and managing the supply chain of software. At a basic level, Grafeas is a tool for collecting metadata and audit results. It can be used to track compliance with the best security practices in the organization.

This centralized source of truth helps answer questions like:

  • Who assembled and signed the specific container?
  • Has it passed all security scanners and security policy checks? When? What were the results?
  • Who deployed it to production? Which parameters were used during deployment?

 

In-toto

Website: in-toto.github.io

License: free (Apache)

In-toto is a framework designed to ensure the integrity, authentication and audit of the entire software supply chain. When deploying In-toto in the infrastructure, first set out is a plan that describes the various steps in the pipeline (repository, CI / CD tools, QA tools, artifact collectors, etc.) and users (responsible persons) who are allowed to initiate them.

In-toto monitors the implementation of the plan, verifying that each task in the chain is properly performed by exclusively authorized personnel and that no unauthorized manipulations were carried out with the product.

 

Portieris

Website: github.com/IBM/portieris

License: free (Apache)

Portieris is an admission controller for Kubernetes; It is used for forced checks of the content trust. Portieris uses the Notary as a source of truth to confirm trusted and signed artifacts (i.e. approved container images).

While creating or modifying a workload in Kubernetes, Portieris downloads signature information and a content trust policy for the requested container images and, if necessary, makes changes to the API JSON object on spot to launch signed versions of these images.

 

Vault

Website: www.vaultproject.io

License: Free (MPL)

Vault is a secure solution for storing sensitive information: passwords, OAuth tokens, PKI certificates, access to accounts, Kubernetes secrets, etc. Vault supports many advanced features, such as renting ephemeral security tokens or organizing key rotation.

Using the Helm Chart, Vault can be deployed as a new deployment in a Kubernetes cluster with Consul as a backend repository. It supports native Kubernetes resources like ServiceAccount tokens and can even act as the default Kubernetes secret store.

Kubernetes Security Audit

Kube bench

Website: github.com/aquasecurity/kube-bench

License: free (Apache)

Kube-bench is a Go-based application that checks whether Kubernetes is deployed safely by running tests from the CIS Kubernetes Benchmark list.

Kube-bench looks for insecure configuration parameters among cluster components (etcd, API, controller manager, etc.), dubious file access rights, insecure accounts or open ports, resource quotas, settings for restricting the number of API calls to protect against DoS attacks, etc.

 

Kube hunter

Website: github.com/aquasecurity/kube-hunter

License: free (Apache)

Kube-hunter “hunts” for potential vulnerabilities (such as remote code execution or data disclosure) in Kubernetes clusters. Kube-hunter can be run as a remote scanner – in this case, it will evaluate the cluster from the point of view of a third-party attacker – or as a pod inside the cluster.

A distinctive feature of Kube-hunter is the “active hunting” mode, during which he not only reports problems, but also tries to use vulnerabilities found in the target cluster that could potentially harm his work. So use with caution!

Kubeaudit

Website: github.com/Shopify/kubeaudit

License: Free (MIT)

Kubeaudit is a console tool originally developed by Shopify to audit Kubernetes configurations for various security issues. For example, it helps to identify containers that work without restrictions, with superuser privileges, abuse privileges or use ServiceAccount by default.

Kubeaudit has other interesting features. For example, it can analyze local YAML files, identify configuration flaws that can lead to security problems and automatically fix them.

 

Kubesec

Website: kubesec.io

License: free (Apache)

Kubesec is a special tool in the sense that it directly scans YAML files describing Kubernetes resources in search of weak parameters that can affect security.

For example, it can detect excessive privileges and permissions granted to pod, launch a container with root as the default user, connect to the host network namespace or dangerous mounts like / proc host or Docker socket. Another interesting feature of Kubesec is an online demo service where you can download YAML and immediately analyze it.

 

Open policy agent

Website: www.openpolicyagent.org

License: free (Apache)

The concept of OPA (Open Policy Agent) is to separate security policies and best practices in the field of security from a specific runtime platform: Docker, Kubernetes, Mesosphere, OpenShift or any combination thereof.

For example, you can deploy OPA as a backend for the Kubernetes admission controller, delegating security solutions to it. In this way, the OPA agent will be able to check, reject, and even modify requests on spot, ensuring compliance with the specified security settings. Security policies at OPA are written in its own DSL language, Rego.