Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.
The audit tests are the full implementation of CIS Kubernetes Benchmark specification
NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)
- root cause of the security issue
- proposed remediation for security issue
- Installation
- Quick Start
- Kube-beacon as Docker
- Kube-beacon as pod in k8s
- User Plugin Usage
- Next steps
git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
- Note: kube-beacon require root user to be executed
Execute kube-eacon without any flags , execute all tests
./kube-beacon
Execute kube-beacon with flags , execute test on demand
Usage: kube-Beacon [--version] [--help] <command> [<args>]
Available commands are:
-r , --report : run audit tests and generate failure report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-n , --node: execute audit tests on specific node, example -n=master,-n=worker
-s , --spec: execute specific audit tests spec, example -s=gke, default=k8s
-v , --version: execute specific audit tests spec version, example -v=1.1.0,default=1.6.0
Execute tests and generate failure tests report
./kube-beacon -r
-
Execute kube beacon as a pod in k8s cluster
-
Add cluster role binding with role=cluster-admin
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
cd jobs
- simple k8s cluster run following job
kubectl apply -f k8s.yaml
- gke cluster run the following job
kubectl apply -f gke.yaml
- Check k8s pod status
kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default kube-beacon-sc8g9 0/1 Completed 0 111s
kube-system event-exporter-gke-8489df9489-skcvv 2/2 Running 0 7m24s
kube-system fluentd-gke-7d5sl 2/2 Running 0 7m6s
kube-system fluentd-gke-f6q5d 2/2 Running 0 6m59s
- Check k8s pod audit output
kubectl logs kube-beacon-sc8g9
- cleanup (remove role and delete pod)
kubectl delete clusterrolebinding default-admin
kubectl delete -f k8s.yaml
The Kube-Beacon expose hook for user plugins Example :
- K8sBenchAuditResultHook - this hook accepts audit benchmark results as found by audit report
go build -buildmode=plugin -o=~/<plugin folder>/bench_plugin.so /<plugin folder>/bench_plugin.go
cp /<plugin folder>/bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so
Note: Plugin and binary must compile with the same linux env
- Add support for Amazon EKS scanning