[HN Gopher] Kubescape - first open-source tool to test K8s accor... ___________________________________________________________________ Kubescape - first open-source tool to test K8s according to NSA and CISA Author : jkaftzan Score : 96 points Date : 2021-09-04 20:55 UTC (2 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | jkaftzan wrote: | Kubescape is The first open-source tool for testing if Kubernetes | is deployed securely as defined in the Kubernetes Hardening | Guidance by NSA and CISA | tbalsam wrote: | Something about the capitalization in this comment + the above | scares me somehow. | jkaftzan wrote: | not sure i understand, can you explain? | imw wrote: | May I introduce you to my friend and colleague, Hardening | Guidance? | anotherhue wrote: | I politely suggest that a security focused tool should not | further the curl|bash pattern. | geofft wrote: | What alternative pattern would you suggest? | anotherhue wrote: | binary packages, maybe through github releases. debian | packages, potentially upstreamed into the package repos | (though that's some effort). | | It's quite presumptive to presume to know how a target system | is to be configured. | | no matter which alternative, curl|bash is security risk | enough to never use: | https://www.idontplaydarts.com/2016/04/detecting-curl- | pipe-b... | | gpg can help (below from zerotier): curl -s 'https://raw.gith | ubusercontent.com/zerotier/ZeroTierOne/maste...' | gpg | --import && \ if z=$(curl -s 'https://install.zerotier.com/' | | gpg); then echo "$z" | sudo bash; fi | geofft wrote: | What's the advantage of binary packages through GitHub | releases? How do you audit them? | | I'm aware of the fact that you can detect curl | bash | server-side, and it's a neat trick, but I don't understand | the security risk of it. The server is supplying you with | arbitrary content that you're not auditing - what does it | matter if it supplies you _different_ arbitrary content? | | What's the advantage of the GPG approach? Last I checked, | the GPG command was capable of signing malicious binaries. | | I do agree about the configuration argument. But that's not | a _security_ argument. | anotherhue wrote: | I think you may be conflating the application owner and | the delivery system. If we're installing the application | I think we're implicitly trusting the author. | | If you copy/paste http instead of https then you've given | execution control to every single middlebox along the | way. | | If the code is hosted on an evil sourceforge, then you've | given them execution control. | | deb packages will do signature checks, any many authors | will list checksums in their releases which we can use to | verify. | lukevp wrote: | There is debate on whether this is really a security concern. | | [0] https://www.arp242.net/curl-to-sh.html [1] | https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p... | sildur wrote: | There is a vast community who thinks it's bad, and unsafe | (with examples on how to detect direct piping to bash in | order to serve malware) and a few ones condoning it. That | seems like saying there is currently a debate on the | roundness of the planet Earth. | kentonv wrote: | Yes, it's exactly like that, but not in the way you think. | | One side is a small-but-vocal minority making silly | arguments. "how to detect direct piping to bash in order to | serve malware"? An attacker who tries to serve different | things to different people will easily be caught, and a | simple diff will highlight their exploit. A much more | robust attack strategy is to serve the same malware to | everyone but obfuscate it. Make the vulnerability look like | an innocent bug, and you have plausible deniability. This | same attack works for every approach to software | distribution, it's not unique to curl|bash. | | The vast majority of pragmatic people just don't think | there's an issue here, don't find these arguments | convincing, and don't care to argue about it. I run the | Sandstorm project, which uses curl|bash, and this issue | really hasn't impacted adoption. Our users aren't naive, | they understand what curl|bash is, but they also recognize | that obviously by installing our software they are giving | us arbitrary code execution. Users who don't trust us | install Sandstorm in a separate VM -- the only reasonable | way to run software you are suspicious of. | geofft wrote: | Right. Actually, since it's hard to tell if the earth is | round y observation, I'd say it's more like a debate on | whether the Sun goes around the Earth. You can just look up | in the sky and see it move - the folks saying otherwise are | obviously cranks. There's no need to listen to their | arguments. | sildur wrote: | It's not hard to tell if the earth is round by | observation. You only need feet, a stick, and brains. | | About your second observation, please keep it quiet. We | have more than enough with the flat-earthers. We do not | need another cult. | [deleted] | torgard wrote: | This couldn't have come at a better time! I have to do a report | on hardening and such of our infrastructure next week. | | Great! | jkaftzan wrote: | excellent, good luck! let me know if you need any help | sdze wrote: | Kubernetes? God forbid! Very few companies have mastered this | technology, and frankly, no one needs it. That such a testing | tool is necessary confirms my assumption. Security is now | outsourced. | zxspectrum1982 wrote: | How is this different from auditing and hardening your Kubernetes | nodes with OpenSCAP data streams (AKA "profiles")? | domnomnom wrote: | Is security a zero sum game? | whatshisface wrote: | It's negative sum overall because it takes smart people away | from other things. | gravypod wrote: | I love that since Kube is a standard API we can implement | preflight checks like this that work for "any" kube cluster | automatically. | jkaftzan wrote: | cool! happy to hear that. if you have any ideas or comments | about Kubescape, we would love to hear them | gravypod wrote: | If you could check for container signing and providence on | all materials and make sure that only a single registry is | being used (ex only `internal.company.com:443`) and make sure | it's not possible to schedule pods with unsigned/untrusted | containers that would be awesome. | eris_agx wrote: | For materials you can use syft | https://github.com/anchore/syft | jkaftzan wrote: | interesting, I'll send that to our dev team. BTW - you can | suggest these things on Kubescape page @ Github and see | status etc. | [deleted] | j03b wrote: | This tool is great! Ran through all these checks and deployed | them to our cluster the other day. | | Immutable fs & non-root is easier than I thought to deploy with | k8s, going to be looking into privilege drops this week too. | jkaftzan wrote: | thanks a lot! let us know if you have any comments or ideas | ButterWashed wrote: | Does the NSA/CISA advice differ significantly from CIS? KubeBench | does a great job of CIS assessment. ___________________________________________________________________ (page generated 2021-09-04 23:00 UTC)