Kubeaudit no longer supports APIs deprecated as of Kubernetes v.1.16 release. So, it is now a requirement for clusters to run Kubernetes >=1.16
kubeaudit
is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
tldr. kubeaudit
makes sure you deploy secure containers!
To use kubeaudit as a Go package, see the package docs.
The rest of this README will focus on how to use kubeaudit as a command line tool.
brew install kubeaudit
Kubeaudit has official releases that are blessed and stable: Official releases
Master may have newer features than the stable releases. If you need a newer feature not yet included in a release, make sure you’re using Go 1.17+ and run the following:
go get -v github.com/Shopify/kubeaudit
Start using kubeaudit
with the Quick Start or view all the supported commands.
Prerequisite: kubectl v1.12.0 or later
With kubectl v1.12.0 introducing easy pluggability of external functions, kubeaudit can be invoked as kubectl audit
by
make plugin
and having $GOPATH/bin
available in your path.or
kubectl-audit
and having it available in your path.We also release a Docker image: shopify/kubeaudit
. To run kubeaudit as a job in your cluster see Running kubeaudit in a cluster.
kubeaudit has three modes:
If a Kubernetes manifest file is provided using the -f/--manifest
flag, kubeaudit will audit the manifest file.
Example command:
kubeaudit all -f “/path/to/manifest.yml”
Example output:
$ kubeaudit all -f “internal/test/fixtures/all_resources/deployment-apps-v1.yml”
—————- Results for —————
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: deployment-apps-v1——————————————–
— [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation ‘container.apparmor.security.beta.kubernetes.io/container’ should be added.
Metadata:
Container: container
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container
— [error] AutomountServiceAccountTokenTrueAndDefaultSA
Message: Default service account with token mounted. automountServiceAccountToken should be set to ‘false’ or a non-default service account should be used.
— [error] CapabilityShouldDropAll
Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
Metadata:
Container: container
Capability: AUDIT_WRITE…
If no errors with a given minimum severity are found, the following is returned:
All checks completed. 0 high-risk vulnerabilities found
Kubeaudit produces results with three levels of severity:
Error
: A security issue or invalid kubernetes configurationWarning
: A best practice recommendationInfo
: Informational, no action required. This includes results that are overriddenThe minimum severity level can be set using the --minSeverity/-m
flag.
By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the --format json
flag. To output results as logs (the previous default) use --format logrus
. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the --no-color
flag.
If there are results of severity level error
, kubeaudit will exit with exit code 2. This can be changed using the --exitcode/-e
flag.
For all the ways kubeaudit can be customized, see Global Flags.
Command | Description | Documentation |
---|---|---|
all | Runs all available auditors, or those specified using a kubeaudit config. | docs |
autofix | Automatically fixes security issues. | docs |
version | Prints the current kubeaudit version. |
Auditors can also be run individually.
Command | Description | Documentation |
---|---|---|
apparmor | Finds containers running without AppArmor. | docs |
asat | Finds pods using an automatically mounted default service account | docs |
capabilities | Finds containers that do not drop the recommended capabilities or add new ones. | docs |
deprecatedapis | Finds any resource defined with a deprecated API version. | docs |
hostns | Finds containers that have HostPID, HostIPC or HostNetwork enabled. | docs |
image | Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. | docs |
limits | Finds containers which exceed the specified CPU and memory limits or do not specify any. | docs |
mounts | Finds containers that have sensitive host paths mounted. | docs |
netpols | Finds namespaces that do not have a default-deny network policy. | docs |
nonroot | Finds containers running as root. | docs |
privesc | Finds containers that allow privilege escalation. | docs |
privileged | Finds containers running as privileged. | docs |
rootfs | Finds containers which do not have a read-only filesystem. | docs |
seccomp | Finds containers running without Seccomp. | docs |
Short | Long | Description |
---|---|---|
–format | The output format to use (one of “pretty”, “logrus”, “json”) (default is “pretty”) | |
–kubeconfig | Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config ) | |
-c | –context | The name of the kubeconfig context to use |
-f | –manifest | Path to the yaml configuration to audit. Only used in manifest mode. You may use - to read from stdin. |
-n | –namespace | Only audit resources in the specified namespace. Not currently supported in manifest mode. |
-g | –includegenerated | Include generated resources in scan (such as Pods generated by deployments). If you would like kubeaudit to produce results for generated resources (for example if you have custom resources or want to catch orphaned resources where the owner resource no longer exists) you can use this flag. |
-m | –minseverity | Set the lowest severity level to report (one of “error”, “warning”, “info”) (default is “info”) |
-e | –exitcode | Exit code to use if there are results with severity of “error”. Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) |
–no-color | Don’t use colors in the output (default is false) |
The kubeaudit config can be used for two things:
Any configuration that can be specified using flags for the individual auditors can be represented using the config.
The config has the following format:
enabledAuditors:
# Auditors are enabled by default if they are not explicitly set to “false”
apparmor: false
asat: false
capabilities: true
deprecatedapis: true
hostns: true
image: true
limits: true
mounts: true
netpols: true
nonroot: true
privesc: true
privileged: true
rootfs: true
seccomp: true
auditors:
capabilities:
# add capabilities needed to the add list, so kubeaudit won’t report errors
allowAddList: [‘AUDIT_WRITE’, ‘CHOWN’]
deprecatedapis:
# If no versions are specified and the’deprecatedapis’ auditor is enabled, WARN
# results will be genereted for the resources defined with a deprecated API.
currentVersion: ‘1.22’
targetedVersion: ‘1.25’
image:
# If no image is specified and the ‘image’ auditor is enabled, WARN results
# will be generated for containers which use an image without a tag
image: ‘myimage:mytag’
limits:
# If no limits are specified and the ‘limits’ auditor is enabled, WARN results
# will be generated for containers which have no cpu or memory limits specified
cpu: ‘750m’
memory: ‘500m’
For more details about each auditor, including a description of the auditor-specific configuration in the config, see the Auditor Docs.
Note: The kubeaudit config is not the same as the kubeconfig file specified with the --kubeconfig
flag, which refers to the Kubernetes config file (see Local Mode). Also note that only the all
and autofix
commands support using a kubeaudit config. It will not work with other commands.
Note: If flags are used in combination with the config file, flags will take precedence.
Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce info
results instead of error
results and the audit result name will have Allowed
appended to it. The labels are documented in each auditor’s documentation, but the general format for auditors that support overrides is as follows:
An override label consists of a key
and a value
.
The key
is a combination of the override type (container or pod) and an override identifier
which is unique to each auditor (see the docs for the specific auditor). The key
can take one of two forms depending on the override type:
container.audit.kubernetes.io/[container name].[override identifier]
As per Kubernetes spec, value
must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]
) with dashes (-
), underscores (_
), dots (.
), and alphanumerics between.
Multiple override labels (for multiple auditors) can be added to the same resource.
See the specific auditor docs for the auditor you wish to override for examples.
To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…