[HN Gopher] Kubescape - first open-source tool to test K8s accor...
___________________________________________________________________
Kubescape - first open-source tool to test K8s according to NSA and
CISA
Author : jkaftzan
Score : 96 points
Date : 2021-09-04 20:55 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| jkaftzan wrote:
| Kubescape is The first open-source tool for testing if Kubernetes
| is deployed securely as defined in the Kubernetes Hardening
| Guidance by NSA and CISA
| tbalsam wrote:
| Something about the capitalization in this comment + the above
| scares me somehow.
| jkaftzan wrote:
| not sure i understand, can you explain?
| imw wrote:
| May I introduce you to my friend and colleague, Hardening
| Guidance?
| anotherhue wrote:
| I politely suggest that a security focused tool should not
| further the curl|bash pattern.
| geofft wrote:
| What alternative pattern would you suggest?
| anotherhue wrote:
| binary packages, maybe through github releases. debian
| packages, potentially upstreamed into the package repos
| (though that's some effort).
|
| It's quite presumptive to presume to know how a target system
| is to be configured.
|
| no matter which alternative, curl|bash is security risk
| enough to never use:
| https://www.idontplaydarts.com/2016/04/detecting-curl-
| pipe-b...
|
| gpg can help (below from zerotier): curl -s 'https://raw.gith
| ubusercontent.com/zerotier/ZeroTierOne/maste...' | gpg
| --import && \ if z=$(curl -s 'https://install.zerotier.com/'
| | gpg); then echo "$z" | sudo bash; fi
| geofft wrote:
| What's the advantage of binary packages through GitHub
| releases? How do you audit them?
|
| I'm aware of the fact that you can detect curl | bash
| server-side, and it's a neat trick, but I don't understand
| the security risk of it. The server is supplying you with
| arbitrary content that you're not auditing - what does it
| matter if it supplies you _different_ arbitrary content?
|
| What's the advantage of the GPG approach? Last I checked,
| the GPG command was capable of signing malicious binaries.
|
| I do agree about the configuration argument. But that's not
| a _security_ argument.
| anotherhue wrote:
| I think you may be conflating the application owner and
| the delivery system. If we're installing the application
| I think we're implicitly trusting the author.
|
| If you copy/paste http instead of https then you've given
| execution control to every single middlebox along the
| way.
|
| If the code is hosted on an evil sourceforge, then you've
| given them execution control.
|
| deb packages will do signature checks, any many authors
| will list checksums in their releases which we can use to
| verify.
| lukevp wrote:
| There is debate on whether this is really a security concern.
|
| [0] https://www.arp242.net/curl-to-sh.html [1]
| https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...
| sildur wrote:
| There is a vast community who thinks it's bad, and unsafe
| (with examples on how to detect direct piping to bash in
| order to serve malware) and a few ones condoning it. That
| seems like saying there is currently a debate on the
| roundness of the planet Earth.
| kentonv wrote:
| Yes, it's exactly like that, but not in the way you think.
|
| One side is a small-but-vocal minority making silly
| arguments. "how to detect direct piping to bash in order to
| serve malware"? An attacker who tries to serve different
| things to different people will easily be caught, and a
| simple diff will highlight their exploit. A much more
| robust attack strategy is to serve the same malware to
| everyone but obfuscate it. Make the vulnerability look like
| an innocent bug, and you have plausible deniability. This
| same attack works for every approach to software
| distribution, it's not unique to curl|bash.
|
| The vast majority of pragmatic people just don't think
| there's an issue here, don't find these arguments
| convincing, and don't care to argue about it. I run the
| Sandstorm project, which uses curl|bash, and this issue
| really hasn't impacted adoption. Our users aren't naive,
| they understand what curl|bash is, but they also recognize
| that obviously by installing our software they are giving
| us arbitrary code execution. Users who don't trust us
| install Sandstorm in a separate VM -- the only reasonable
| way to run software you are suspicious of.
| geofft wrote:
| Right. Actually, since it's hard to tell if the earth is
| round y observation, I'd say it's more like a debate on
| whether the Sun goes around the Earth. You can just look up
| in the sky and see it move - the folks saying otherwise are
| obviously cranks. There's no need to listen to their
| arguments.
| sildur wrote:
| It's not hard to tell if the earth is round by
| observation. You only need feet, a stick, and brains.
|
| About your second observation, please keep it quiet. We
| have more than enough with the flat-earthers. We do not
| need another cult.
| [deleted]
| torgard wrote:
| This couldn't have come at a better time! I have to do a report
| on hardening and such of our infrastructure next week.
|
| Great!
| jkaftzan wrote:
| excellent, good luck! let me know if you need any help
| sdze wrote:
| Kubernetes? God forbid! Very few companies have mastered this
| technology, and frankly, no one needs it. That such a testing
| tool is necessary confirms my assumption. Security is now
| outsourced.
| zxspectrum1982 wrote:
| How is this different from auditing and hardening your Kubernetes
| nodes with OpenSCAP data streams (AKA "profiles")?
| domnomnom wrote:
| Is security a zero sum game?
| whatshisface wrote:
| It's negative sum overall because it takes smart people away
| from other things.
| gravypod wrote:
| I love that since Kube is a standard API we can implement
| preflight checks like this that work for "any" kube cluster
| automatically.
| jkaftzan wrote:
| cool! happy to hear that. if you have any ideas or comments
| about Kubescape, we would love to hear them
| gravypod wrote:
| If you could check for container signing and providence on
| all materials and make sure that only a single registry is
| being used (ex only `internal.company.com:443`) and make sure
| it's not possible to schedule pods with unsigned/untrusted
| containers that would be awesome.
| eris_agx wrote:
| For materials you can use syft
| https://github.com/anchore/syft
| jkaftzan wrote:
| interesting, I'll send that to our dev team. BTW - you can
| suggest these things on Kubescape page @ Github and see
| status etc.
| [deleted]
| j03b wrote:
| This tool is great! Ran through all these checks and deployed
| them to our cluster the other day.
|
| Immutable fs & non-root is easier than I thought to deploy with
| k8s, going to be looking into privilege drops this week too.
| jkaftzan wrote:
| thanks a lot! let us know if you have any comments or ideas
| ButterWashed wrote:
| Does the NSA/CISA advice differ significantly from CIS? KubeBench
| does a great job of CIS assessment.
___________________________________________________________________
(page generated 2021-09-04 23:00 UTC)