Kubernetes Starboard Project Offers Security Scanning from Kubectl
The basic idea behind the new open-source Kubernetes security toolkit Starboard is so simple, says Aqua Security vice president of open source engineering Liz Rice, that once you see it, it just makes sense.
“When you see vulnerability information right there next to the status information for an application, it’s one of those ideas that you know must’ve been a good idea, because it seems so obvious. Of course, you want to see that vulnerability information right next to the application itself,” said Rice.
The project, licensed under Apache 2.0 and created by Aqua Security, among others, uses custom resource definitions (CRDs) to integrate security tools and make the results accessible via the Kubernetes API.
“If we think about security tools and how they are used today in Kubernetes deployments, they tend to be used alongside Kubernetes deployments,” explained Rice. “If you wanted to, you could have lots of different security tools each with their own interfaces, each generating their own style of reports, maybe storing that information in different databases or outputting it as JSON or YAML or whatever form that the tool supports. The idea with Starboard was to say, it would be really nice if we could make that information accessible through the Kubernetes API.”
This initial release of Starboard includes a kubectl plugin, a set of custom security resources definitions, a Go module, and an Octant plugin, as well as integrations with four tools, three of them built by Aqua. Those include the container vulnerability scanner Trivy, the Center for Internet Security (CIS) benchmarking tool kube-bench, and the kube-hunter penetration testing tool.
The last tool, Polaris, is built by Fairwinds and looks to identify Kubernetes misconfigurations, ensuring that pods and controllers are configured using best practices. The results of these tools are then put directly alongside Kubernetes operating information in Octant, the “open source developer-centric web interface for Kubernetes that lets you inspect a Kubernetes cluster and its applications,” built as part of VMware Tanzu.
While these are the tools offered with the initial launch, Rice emphasized that the system is built to be extensible.
“The idea is that, although we’ve set it up in this release that you can use Trivy to generate a vulnerability report, it would be easy enough for another vulnerability scanner to be integrated with Starboard and use the same CRD definition, and populate the vulnerability information in the same way. It would be visible to the user in the same way,” said Rice. “For users, they should be able to kind of plug and play different security tools using Starboard. There obviously needs to be integrations for each of these different tools, but we’ve tried to make that as easy as possible with some Go libraries.”
An additional benefit of using CRDs, Rice notes in her blog post introducing Starboard, is that it allows administrators to take advantage of Kubernetes RBAC, therefore limiting access to security reports to only those who should be accessing them.
Calling this an “initial” release, Rice said they are hoping to get feedback, and posed some possibilities for where the project would go next.
“I think the next big step that we want to build is an operator so that you can automatically generate these resources — things like vulnerability reports — as new resources get deployed to Kubernetes. Or, another example would be the operator watching for a new node, and once the node has come up, automatically running the CIS benchmark tests over that node so that there’s immediately a report available for the Kubernetes API,” said Rice.
Currently, Starboard offers security scanning via the command line, but a “flexible, pluggable” Starboard Security Operator is in the works to offer better scalability, as well as provide a “roll-up” of security risk information in each namespace and across the cluster to help identify the highest risks. Also in the pipeline, said Rice, is an integration with Aqua’s commercial offerings.