Kubei is a vulnerabilities scanning tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines.
It is a configurable tool which allows users to define the scope of the scan (target namespaces), the speed, and the vulnerabilities level of interest.
It provides a graphical UI which allows the viewer to identify where and what should be replaced, in order to mitigate the discovered vulnerabilities.
Prerequisites
~/.kube/config
) is properly configured for the target cluster.Required Permissions
Configurations
The file deploy/kubei.yaml
is used to deploy and configure Kubei on your cluster.
IGNORE_NAMESPACES
env variable to ignore specific namespaces. Set TARGET_NAMESPACE
to scan a specific namespace, or leave empty to scan all namespaces.MAX_PARALLELISM
env variable for the maximum number of simultaneous scanners.SEVERITY_THRESHOLD
threshold will be reported. Supported levels are Unknown
, Negligible
, Low
, Medium
, High
, Critical
, Defcon1
. Default is Medium
.DELETE_JOB_POLICY
env variable to define whether or not to delete completed scanner jobs. Supported values are:All
– All jobs will be deleted.Successful
– Only successful jobs will be deleted (default).Never
– Jobs will never be deleted.Usage
kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml
kubectl -n kubei get pod -lapp=kubei
kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}') 8080
kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}')
Running Kubei with an external HTTP/HTTPS proxy
Uncomment and configure the proxy env variables for the Clair and Kubei deployments in deploy/kubei.yaml
.
Amazon ECR support
Create an AWS IAM user with AmazonEC2ContainerRegistryFullAccess
permissions.
Use the user credentials (AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, AWS_DEFAULT_REGION
) to create the following secret:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: ecr-sa
namespace: kubei
type: Opaque
data:
AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0)
AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0)
AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0)
EOF
Note:
ecr-sa
AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and AWS_DEFAULT_REGION
Google GCR Support
Create a Google service account with Artifact Registry Reader
permissions.
Use the service account json file to create the following secret
kubectl -n kubei create secret generic –from-file=sa.json gcr-sa
Note:
gcr-sa
sa.json
must be the name of the service account json file when generating the secretLimitations
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…