SCAN KUBERNETES RBAC WITH KUBESCAPE AND KUBISCAN
SCAN KUBERNETES RBAC WITH KUBESCAPE AND KUBISCAN
Viachaslau Matsukevich
Cloud Solutions Architect at Altoros,
Minsk, Belarus
ABSTRACT
We explored 2 instruments that could be used by Kubernetes Administrators or Cyber security professionals to analyze and assess the role-based access control (RBAC) of the Kubernetes cluster. KubiScan is a dedicated tool for RBAC analysis that could be easily customizable using risky_roles.yaml file. On the other hand, we have Kubescape which provides a much more comprehensive analysis of the K8s cluster beside RBAC with a fancy Kubescape cloud platform and RBAC visualizer. Kubescape got a bigger community and is better maintained, it has integration with different platforms and popular DevOps tools.
From my perspective, Kubescape is the go-to tool for assessing the Kubernetes cluster and understanding its role-based access control. However, if you only need to scan the K8s RBAC model against a particular template or rule without anything else, you should try KubiScan.
Role-based access control (RBAC) in general is an approach to restricting system access to authorized users. Kubernetes role-based access control system is considered to be complex and hard to digest by many technology professionals. In the following article, we are going to explore Kubernetes ecosystem tools like Kubiscan and Kubescape that help Cybersecurity professionals and Kubernetes administrators to scan and evaluate RBAC. In the following scenarios, we will deploy the Google* Kubernetes Engine GKE cluster and analyze its role-based access control by KubiScan and Kubescape.
Prerequisites
InfoWarningTip
In the following scenario we will use Google* Cloud and its managed Kubernetes cluster. However, you can scan the RBAC model of any Kubernetes cluster using a Linux machine with kubectl access to the cluster.
● GCP account
● Enable API for Google* Kubernetes Engine APIs
Create a GKE cluster
For deployment of the cluster, we will use cloud shell and gcloud cli. Set up project ID for gcloud cli:
gcloud config set project PROJECT_ID
Following command will create cluster in the us-west1 region:
gcloud container clusters create-auto my-test-cluster \
--region=us-west1
NOTE: It should take a few minutes to spin up the cluster
Figure 1. Expected output of “gcloud container clusters create-auto” command
Configure kubectl access with the following command:
gcloud container clusters get-credentials my-test-cluster \
--region us-west1
Figure 2. “Kubectl get nodes” output
KubiScan
KubiScan is the open-source tool for scanning Kubernetes clusters for risky permissions in K8s RBAC (role-based access control) authorization model. KubiScan was created and maintained by CyberArk.
Installation
It can be run using a docker container or as a python script. For this tutorial, we will use Python3. On your Linux machine, run the following commands to install KubiScan prerequisites:
apt-get update
apt-get install -y python3 python3-pip
pip3 install -r requirements.txt
For convenience, you can set up an alias to run the kubiscan python script:
alias kubiscan='python3 /<KubiScan_folder>/KubiScan.py'
NOTE: If you want the alias to persist, add it to the .bashrc or .profile file in your user's home directory.
Scan
With KubiScan we can search for pods with privileged accounts:
kubiscan -rp
Figure 3. “kubiscan -rp” output
In the output we can see the gmp-operator pod in the gke-gmp-system namespace is marked with CRITICAL priority.
The following command will list risky subjects in your cluster:
kubiscan -rs
Figure 4. “kubiscan -rs” output
To get information about all privileged Pods\Containers running in your Kubernetes cluster, run the following command:
kubiscan --privleged-pods
To get as much information as possible, you can run the kubiscan --all command. It will output “Risky Containers”, “Risky Users”, “Risky Roles and ClusterRoles”, “Risky RoleBindings and ClusterRoleBindings” tables.
kubiscan --all
Figure 5. example of “kubiscan –all” command
KubiScan also allows you to list all pods with access to secret data through a Volume or environment variables:
kubiscan --pods-secrets-env
kubiscan -psv
Figure 6. kubiscan -psv output
You can find many more useful KubiScan commands in the “help” menu:
kubiscan -h
How KubiScan works
In the KubiScan repository, you can find the risky_roles.yaml file that contains opinionated templates for risky roles with priorities. KubiScan checks if the cluster roles match the rules from the risky role and mark it accordingly in the output spreadsheet.
You can modify the file to add\remove role templates that would be more appropriate in your environment.
Kubescape
Kubescape is an open-source swiss tool that provides RBAC visualizer, image vulnerability scanning risk analysis, and security compliance. Kubescape can detect RBAC violations, software vulnerabilities, and misconfigurations at the early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. It has native integrations with DevOps tools like CircleCi, Jenkins, GitLab CI\CD, GitHub Actions, etc. Kubescape was built and maintained by ARMO.
Kubescape has comprehensive docs available here
Installation
There are a few ways you can install Kubescape on Linux:
● install script
● binary from GitHub release page
● as a cluster component using helm
It is also available on Mac and Windows.
To quickly setup KubeScape on Linux with the install script, run the following command:
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
Scan
With the Kubescape ready, we can go ahead and scan the cluster:
kubescape scan
Figure 7. kubescape scan output
Kubescape assess your cluster by different parameters, not only role based access control. You can see which control passed and failed. It will also demonstrate which resource failed in each test.
In terms of RBAC, Kubescape helps simplifying Kubernetes role base access control complexity by providing a visual graph that shows the RBAC configuration in your K8s cluster. There are lots of built-in queries of useful things you need to be aware of in your RBAC configuration available out of the box.
To use the Kubescape RBAC visualizer, you need to set up a free Kubescape Cloud Platform account. All scan results can be submitted to the platform.
Figure 8. Kubescape Cloud Platform, RBAC Visualizer
Once you create the account, you can navigate to the “RBAC visualizer” in the left menu and copy the account ID. By running a scan with the account ID parameter, it will send all scan results to the Cloud Platform.
kubescape scan --submit --account=[account-id]
If you want to use just RBAC visualizer capabilities, and send only RBAC-related data, you can use the command below:
kubescape submit rbac --account [account-id]
In the Kubescape Cloud, navigate to the “RBAC Visualizer“ on the left menu. In the pop-up menu select your k8s cluster. After that, you should be able to see your cluster RBAC visualized.
Figure 9. Rbac Visualizer
Figure 10. Rbac Visualizer zoomed view
You can change the view using built-in queries and select “layout by type”:
Figure 11. Rbac Visualizer layout by type
Group by verbs:
Figure 12. Rbac Visualizer group by verbs
The following built-in query can show “who-can exec into pods”:
Figure 13. Rbac Visualizer, results of the “who-can exec into pods” query
If you don’t want your scan results to be submitted to ARMO, you should add --keep-local
flag if you used the --submit command before. This way you can get output printed in the console. Scan results can also be outputted in JSON, PDF, HTML, and many other formats, which is really convenient for CI\CD pipelines and automation.
Kubescape custom framework
Kubescape allows you to scan your cluster against popular frameworks like NSA, MITRE, CIS, and others. It also allows you to create your custom framework. There are tens of controls available to be used in any framework. Each control tests a certain aspect of the cluster.
We can set up a custom framework that will check only RBAC-related things. To do that, navigate to the Configuration scanning in the left menu, select “Frameworks”, and click on “Customize your own Framework”.
Specify “Framework Name”. Then, search and select RBAC-related controls using the “Search” section. Once ready, click “Apply”.
Figure 14. Creating custom Framework
Once the custom RBAC framework is set up in the cloud platform, we can run a scan using kubescape cli:
kubescape scan framework rbac
Figure 15. “kubescape scan framework rbac” command output
Each line in the spreadsheet represents control. In the “Failed resources” column, you can see the amount of failed resources.
Remediation and link to the documentation could be found in the console output if you add the--verbose flag.
kubescape scan framework rbac -v
Figure 16. “kubescape scan framework rbac -v” command output
In the output, you can see the URL which will redirect you to the scan result in the Kubescape Cloud.
Figure 17. scan result in the Kubescape Cloud
You can see the suggested remediation action in the “Remediation” column. In the “Resources” section, you will see a list of all your cluster resources.
Figure 18. Cluster resources in the “Resources” section
If you click on the small “tool” icon at the right of the “EndpointSlice” line, it will redirect to the YAML definition of the resource with highlighted lines that failed the control. In this example, CIS-5.7.4 control complaining about the default namespace.
Figure 19. default namespace highlighted as CIS-5.7.4 warning
As you can see, Kubescape provides really detailed suggested remediation action along with additional documentation to make a weighted decision about the risk it found.
* (At the request of Roskomnadzor, we inform you that a foreign person who owns Google information resources is a violator of the legislation of the Russian Federation - ed. note)