Kali Linux

Mesh-Kridik : An Open-Source Security Checker That Performs Security Checks On A Kubernetes Cluster

Mesh-Kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and outputs a security report

The security checks tests are the full implementation of istio security best practices

The security checks performed on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules, and the output audit report includes: the root cause of the security issue and proposed remediation for the security issue.

Requirements

  • Go 1.16+
  • jq
  • istio

Installation

git clone https://github.com/chen-keinan/mesh-kridik
cd mesh-kridik
make build

  • ote: mesh-kridik require root user to be executed

Quick Start

Execute Mesh-Kridik without any flags , execute all tests

./mesh-kridik

Execute mesh-kridik with flags , execute test on demand

Usage: mesh-kridik [–version] [–help] []
Available commands are:
-r , –report : run security checks and generate remediation report
-i , –include: execute only specific security check, example -i=1.1
-e , –exclude: ignore specific security check, example -e=1.1,2.0

Execute tests and generate failure tests report and it remediation’s

./mesh-kridik -r

Istio Security Checks

NameDescriptionImpact
Mutual TLSIstio Mutual TLS proxies are configured in permissive mode by defaultproxies will accept both mutual TLS and plaintext traffic
Istio Safer Authorization Policy PatternsUse ALLOW-with-positive-matching or DENY-with-negative-match patternsThese authorization policy patterns are safer because the worst result in the case of policy mismatch is an unexpected 403 rejection instead of an authorization policy bypass.
path normalization in authorization policyThe enforcement point for authorization policies is the Envoy proxy instead of the usual resource access point in the backend applicationA mismatch can lead to either unexpected rejection or a policy bypass
TLS origination for egress trafficUse of DestinationRule on service ServiceEntry for egress trafficNot using TLS origination for egress traffic to an external service will be send with plain/text
Protocol detectionexplicitly declare the service protocolmiss detection may result in unexpected traffic behavior
CNI supportistio transparent traffic capturenot al net traffic will not be capture
overly broad hostsavoid overly broad hosts settings in Gatewaymay cause potential exposure of unexpected domains
Restrict Gateway creation privilegesrestrict creation of Gateway resources to trusted cluster administratorsmay cause creation of gateway by untrusted users
Configure a limit on downstream connectionsUpdate global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connectionsno limit on the number of downstream connections can cause exploited by a malicious actor
Configure third party service account tokensIt is recommended to configure 3rd party tokens Because the properties of the first party token are less securefirst party token properties are less secure and might cause authentication breach
Control PlaneIstiod exposes a few unauthenticated plaintext ports for convenience by defaultexposes the XDS service port 15010 and debug port 8080 over unauthenticated plaintext
Data PlaneThe proxy exposes a variety of portsThe applications running in the same pod as the proxy have access; there is no trust boundary between the sidecar and application
Understand traffic capture limitationsSecuring egress traffic by setting the meshConfig.outboundTrafficPolicy.modeexternal service access will not be controlled

User Plugin Usage (via go plugins)

The Kube-kridik expose a hook for user plugins Example :

  • MeshSecurityCheckResultHook – this hook accepts k8s service mesh security checks results

Compile user plugin

go build -buildmode=plugin -o=~//.so ~//.go

Copy plugin to folder (.kube-kridik folder is created on the 1st startup)

cp ~//.so ~/.kube-kridik/plugins/compile/.so

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

16 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

16 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago