projectcapsule
Evaluate needed security measures as defined in Kubernetes Hardening Guidance
Background
The Kubernetes Hardening Guidance by NSA and CISA details recommendations to harden Kubernetes systems;
while some security measures depend on the target cluster and its architecture, others are closely related to containers and Pods, due to possible vulnerabilities, misconfiguration, and wrong privileges.
Proposal
To speed up the recognition and fix of possible breaches, we could test the armosec/kubescape utility against the namespace of a freshly installed capsule;
then, consider which actions to take and which to exclude as out of scope/unrepairable.
Tests Output
Cluster scan:
Namespaces:
- capsule-system
- tenant-security-ns
capsule-cluster-nsa-2021-10-29.log capsule-cluster-mitre-2021-10-29.log
Preview
NSA
Resources affected:
| ALL RESOURCES | RESOURCE NAME | NAMESPACE | FAILED CONTROLS |
|---|---|---|---|
| ClusterRole | cluster-admin | C-0035 , C-0002 | |
| ClusterRole | admin | C-0002 | |
| ClusterRoleBinding | capsule-manager-rolebinding | C-0035 , C-0002 | |
| ClusterRoleBinding | cluster-admin | C-0035 , C-0002 | |
| ConfigMap | kube-root-ca.crt | tenant-security-ns | C-0012 |
| ConfigMap | kube-root-ca.crt | capsule-system | C-0012 |
| Deployment | capsule-controller-manager | capsule-system | C-0017 , C-0055 , +1 |
| Namespace | capsule-system | C-0011 | |
| RoleBinding | namespace:admin | tenant-security-ns | C-0002 |
| ServiceAccount | default | capsule-system | C-0034 |
| ServiceAccount | default | tenant-security-ns | C-0034 |
| ServiceAccount | capsule | capsule-system | C-0034 |
MITRE
Resources affected:
| ALL RESOURCES | RESOURCE NAME | NAMESPACE | FAILED CONTROLS |
|---|---|---|---|
| ClusterRole | system:controller:pod-garbage-collector | C-0007 | |
| ClusterRole | system:kube-controller-manager | C-0015 , C-0007 | |
| ClusterRole | admin | C-0002 , C-0015 , +1 | |
| ClusterRole | system:controller:resourcequota-controller | C-0015 | |
| ClusterRole | system:kube-scheduler | C-0007 | |
| ClusterRole | system:controller:statefulset-controller | C-0007 | |
| ClusterRole | system:controller:job-controller | C-0007 | |
| ClusterRole | system:controller:daemon-set-controller | C-0007 | |
| ClusterRole | system:controller:expand-controller | C-0015 | |
| ClusterRole | system:controller:namespace-controller | C-0015 , C-0031 , +1 | |
| ClusterRole | system:controller:horizontal-pod-autoscaler | C-0015 | |
| ClusterRole | system:controller:deployment-controller | C-0007 | |
| ClusterRole | system:controller:replication-controller | C-0007 | |
| ClusterRole | system:controller:persistent-volume-binder | C-0015 , C-0007 | |
| ClusterRole | system:controller:node-controller | C-0007 | |
| ClusterRole | system:controller:ttl-after-finished-controller | C-0007 | |
| ClusterRole | system:controller:replicaset-controller | C-0007 | |
| ClusterRole | capsule-proxy-role | C-0053 | |
| ClusterRole | system:controller:generic-garbage-collector | C-0015 , C-0031 , +1 | |
| ClusterRole | system:controller:cronjob-controller | C-0007 | |
| ClusterRole | local-path-provisioner-role | C-0007 | |
| ClusterRole | cluster-admin | C-0053 , C-0035 , +4 | |
| ClusterRoleBinding | system:controller:ttl-after-finished-controller | C-0007 | |
| ClusterRoleBinding | system:controller:deployment-controller | C-0007 | |
| ClusterRoleBinding | system:controller:cronjob-controller | C-0007 | |
| ClusterRoleBinding | system:controller:namespace-controller | C-0015 , C-0031 , +1 | |
| ClusterRoleBinding | system:controller:expand-controller | C-0015 | |
| ClusterRoleBinding | system:controller:statefulset-controller | C-0007 | |
| ClusterRoleBinding | system:controller:node-controller | C-0007 | |
| ClusterRoleBinding | system:controller:persistent-volume-binder | C-0015 , C-0007 | |
| ClusterRoleBinding | system:controller:daemon-set-controller | C-0007 | |
| ClusterRoleBinding | system:controller:horizontal-pod-autoscaler | C-0015 | |
| ClusterRoleBinding | system:controller:job-controller | C-0007 | |
| ClusterRoleBinding | system:controller:replication-controller | C-0007 | |
| ClusterRoleBinding | system:controller:pod-garbage-collector | C-0007 | |
| ClusterRoleBinding | system:controller:resourcequota-controller | C-0015 | |
| ClusterRoleBinding | system:kube-scheduler | C-0007 | |
| ClusterRoleBinding | local-path-provisioner-bind | C-0007 | |
| ClusterRoleBinding | capsule-manager-rolebinding | C-0053 , C-0035 , +4 | |
| ClusterRoleBinding | cluster-admin | C-0035 , C-0002 , +3 | |
| ClusterRoleBinding | system:controller:generic-garbage-collector | C-0015 , C-0031 , +1 | |
| ClusterRoleBinding | system:controller:replicaset-controller | C-0007 | |
| ClusterRoleBinding | capsule-proxy-rolebinding | C-0053 | |
| ClusterRoleBinding | system:kube-controller-manager | C-0015 , C-0007 | |
| ConfigMap | kube-root-ca.crt | capsule-system | C-0012 |
| ConfigMap | kube-root-ca.crt | tenant-security-ns | C-0012 |
| Deployment | capsule-controller-manager | capsule-system | C-0053 |
| MutatingWebhookConfiguration | capsule-mutating-webhook-configuration | C-0039 | |
| Namespace | capsule-system | C-0054 , C-0049 | |
| RoleBinding | namespace:admin | tenant-security-ns | C-0002 , C-0015 , +1 |
| ValidatingWebhookConfiguration | capsule-validating-webhook-configuration | C-0036 |
HELM Charts scan:
capsule-helm-nsa-2021-10-29.log capsule-helm-mitre-2021-10-29.log
Test parameters
- Kubernetes version: kind - v1.21.2
- Capsule version: helm release v0.1.0
- Helm chart version: v0.1.3
- Kubescape version: v1.0.128
@ptx96 can you run the test suite again excluding the Capsule Namespace and update the comment with the new results?
We can ignore the capsule-system Namespace since our Operators has to act as cluster admin.
Added more tests to the issue description.
@ptx96 can you run the test suite again excluding the Capsule Namespace and update the comment with the new results?
In this way, only cluster-wide resources have been retrieved (probably out of scope).
We can ignore the
capsule-systemNamespace since our Operators has to act as cluster admin.
I don't think we should ignore capsule-system namespace, because we'd lose focus on some interesting checks.
I spinned up a new round of control of clusters and charts after kubescape and capsule has been updated to the most recent version.
We should discuss which elements need to be excluded from scrutiny as impossible to circumvent (risk acceptance);
furthermore, it would be useful to put these controls inside capsule github actions CI
@bsctl @prometherion WDYT?
Guys, let's consider to use also this tool from aquasec: https://github.com/aquasecurity/kube-bench
Guys, let's consider to use also this tool from aquasec: https://github.com/aquasecurity/kube-bench
Nice catch @alegrey91!
These controls, however, are very good when focused on kubernetes post-deployment hardening, while as regards kubernetes resources, kube-bench will only show manual check that the operator should perform as described in the policy config (among other things still stopped at kubernetes v1.20 with PSP)
Anyway, we should consider it during paas steps.