StackRox KubeLinter Brings Security Linting to Kubernetes
In the late 1970s, famed developer Stephen C. Johnson came up with a static code analysis tool, lint, which flagged programming mistakes, bugs, and improper structures. You can argue that lint played a large role in making C and Unix so popular. Today, Kubernetes is already wildly popular, but boy is it easy to make mistakes, introduce logic bugs, and set structures up wrong. So, clearly, it’s time for StackRox‘s new KubeLinter tool.
Just like lint back in its heyday, KubeLinter fills a real need.
As StackRox Software Engineer Viswajith Venugopal explained, “KubeLinter was born out of a pain point that we know only too well at StackRox, both from our internal clusters, and from listening to our customers: configuring Kubernetes applications is hard! There are lots of knobs and dials, and it can be overwhelming just to get your pods to come up and talk to each other. But even getting there doesn’t mean you’re ready to deploy in production — defaults in Kubernetes configurations are typically not geared towards security and production-readiness.”
No, no they’re not. Kubernetes is very powerful but it’s a bear to secure. To mention just a few issues, it’s not at all easy to co-ordinate Role-Based Access Control (RBAC) with traditional Linux security. Then, there’s the non-trivial job of securing Kubernetes Secrets, which are stored in etcd, Kubernetes’ default distributed key-value store. So far, so good, but, etcd data is not encrypted by default and, therefore, neither are your secrets.
I could go on and on, but you get the idea. To secure Kubernetes you need all the help you can get. That’s where KubeLinter comes in.
KubeLinter analyzes Kubernetes YAML files and Helm charts and checks them against a variety of best practices. Its focus is to clean them of security errors. A sample run:
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.)
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.)
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.)
Error: found 3 lint errors
Some of these are very simple errors, but no less dangerous for that. For example, out of the box, KubeLinter checks to make sure you’re running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
You can configure KubeLinter so that you can enable and disable checks, and create your own custom checks. As Venugopal wrote, “We’ve designed KubeLinter to ensure that writing custom checks requires minimal work from the user, and has a very small learning curve.”
KubeLinter is written in Go and packaged as a static, self-contained binary, so it installs in seconds. Once you point it to your Helm charts and YAML files, it should give you results immediately.
You can also use KubeLinter inline with your continuous integration (CI) tool, Support is already available to use it with GitHub Action, Jenkins, Travis CI. or CircleCI. This makes KubeLinter even more valuable since your developers can automatically problems in the production pipeline.
If this sounds great, well it should. KubeLinter shows promise of being a truly useful Kubernetes development tool. That said, keep in mind that it’s only an alpha program at this stage of the game. There will be breaking changes in the future to the command usage, flags, and configuration file formats. However, StackRox wants you to start using it in your testing and would love it if you were to make bug reports and contribute to KubeLinter’s open-source Apache 2-licensed code.
Feature image by Alex Simpson on Unsplash.