Kubernetes security startup Octarine has released as open source a set of tools that can help Kubernetes users identify configuration settings in their K8s deployments that may inadvertently leave open security holes.
Octarine’s newly released Kubernetes Common Configuration Scoring System (KCCSS) is a framework for rating security risks associated with not configuring Kubernetes correctly. It is used by Octarine’s associated kube-scan, also freshly minted as open source, a runtime tool that scans Kubernetes configurations and settings, identifying and ranking potential vulnerabilities in running deployments.
While much attention has been placed on securing the runtime vulnerabilities within containers in cloud native settings, through techniques such as image scanning, less focus has been directed the potential damage that could be caused by bad configuration settings of the software itself. Yet faulty configurations can provide a way for attackers to use egress and ingress points to gain entry to a system through privilege escalation and other methods.
An example may be a containerized workload with access to the physical host that is also connected to the Internet. An attacker could use the faulty settings to access the container from the Internet and then attack the cluster itself.
Kubernetes has more than 30 security settings involving pod security policies, pod definitions, and manifest files. And many of those admins now managing Kubernetes deployments may not understand the full security implications of the settings they choose, Octarine contends.
KCCSS is similar to the Common Vulnerability Scoring System (CVSS), but it was designed to capture not vulnerabilities but configuration errors and incorrect security settings. It assigned each risk a separate score from one to 10 (10 being the most severe), allowing the users to calculate the risk of their settings in a production runtime environment.
The kube-scan tool identifies the risks associated with specific workloads, highlighting the potential consequences and offering a prioritization of possible approaches to remediation. It maps the user’s current workload configurations to the settings.
Both projects build on the Center for Internet Security’s Compliance Benchmarks for Docker and Kubernetes, and will be updated as CIS’ recommendations for new versions of these software packages are posted.
KCCSS is licensed under the MIT License. KCCCS is available on Github, as is kube-scan. Both tools are also available as part of the company’s commercially supported Guardrails cloud native security platform.