{"id":13774623,"url":"https://github.com/k8scop/k8s-security-dashboard","last_synced_at":"2025-05-11T06:33:24.407Z","repository":{"id":49208203,"uuid":"168209930","full_name":"k8scop/k8s-security-dashboard","owner":"k8scop","description":"A security monitoring solution for Kubernetes","archived":false,"fork":false,"pushed_at":"2023-10-18T01:49:10.000Z","size":2619,"stargazers_count":128,"open_issues_count":6,"forks_count":23,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-03-15T08:40:31.311Z","etag":null,"topics":["kubernetes","security-monitoring","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k8scop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-01-29T18:55:43.000Z","updated_at":"2024-02-28T01:19:10.000Z","dependencies_parsed_at":"2024-01-06T22:52:25.127Z","dependency_job_id":"c37e481e-f909-4698-9f2f-c44df62f08d9","html_url":"https://github.com/k8scop/k8s-security-dashboard","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scop%2Fk8s-security-dashboard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scop%2Fk8s-security-dashboard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scop%2Fk8s-security-dashboard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k8scop%2Fk8s-security-dashboard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k8scop","download_url":"https://codeload.github.com/k8scop/k8s-security-dashboard/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528415,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","security-monitoring","security-tools"],"created_at":"2024-08-03T17:01:28.761Z","updated_at":"2025-05-11T06:33:23.601Z","avatar_url":"https://github.com/k8scop.png","language":"Python","funding_links":[],"categories":["Repositories / Tools","Python","Security"],"sub_categories":["Defending"],"readme":"# Kubernetes Security Dashboard\n\nThis guide assists in configuring a logging architecture for Kubernetes, meant to store and parse audit logs. After setting up the logging architecture, run K8sCop for static or streaming analysis, and import the security dashboard in Kibana to obtain full visibility over Kubernetes cluster activity.\n\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n- [Kubernetes Security Dashboard](#kubernetes-security-dashboard)\n  - [TL;DR](#tldr)\n  - [Big Picture](#big-picture)\n  - [Installation](#installation)\n    - [kube-apiserver arguments](#kube-apiserver-arguments)\n    - [Setting up Elasticsearch and Kibana](#setting-up-elasticsearch-and-kibana)\n    - [Deploying fluent](#deploying-fluent)\n      - [Preparation](#preparation)\n      - [Deployment](#deployment)\n    - [Debugging](#debugging)\n  - [K8sCop](#k8scop)\n  - [Security Dashboard](#security-dashboard)\n    - [Preview](#preview)\n    - [Importing the Dashboard](#importing-the-dashboard)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n## TL;DR\n\n- Make the `kube-apiserver` store audit logs\n- Set up Elasticsearch and Kibana outside or inside Kubernetes\n- Deploy the Fluent daemon to push logs to Elasticsearch\n- Run K8sCop for static or streaming analysis of logs and labelling of events\n- Import and view the Security Dashboard in Kibana\n\n## Big Picture\n\n![](images/diagram.png)\n\n## Installation\n\n### kube-apiserver arguments\n\nThe `kube-apiserver` has the possiblity to keep and store audit logs. By adding the following arguments to the `/etc/kubernetes/manifests/kube-apiserver.yaml` file:\n\n```bash\ncontainers:\n  - command:\n    - kube-apiserver\n    [arguments]\n    - --audit-policy-file=/etc/kubernetes/policies/adv-audit.yaml\n    - --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log\n    - --audit-log-format=json\n    [arguments]\n  volumeMounts:\n   [options]\n    - mountPath: /etc/kubernetes/policies\n      name: policies\n      readOnly: true\n    - mountPath: /var/log/kubernetes\n[options]\n - hostPath:\n   path: /etc/kubernetes/policies\n   type: DirectoryOrCreate\n  name: policies\n- hostPath:\n   path: /var/log/kubernetes\n   type: DirectoryOrCreate\n  name: var-log-kubernetes\n```\n\nAn example configuration file can be found [here](configs/kubernetes/kube-apiserver.yaml). Create the `policies` directory in `/etc/kubernetes` and copy [this yaml file](configs/kubernetes/adv-audit.yaml) to the newly created directory.\n\n### Setting up Elasticsearch and Kibana\n\nFollow this very nice and detailed guide on [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-16-04). \n\n### Deploying fluent\n\n#### Preparation\n\nCreate the mount directory for the fluent configuration:\n\n```bash\n# mkdir -p /var/share/volumes/fluent/etc\n```\n\nAdd the files from the `configs/fluent` folder:\n\n```bash\n# cp entrypoint.sh Gemfile /var/share/volumes/fluent/.\n# cp fluent.conf /var/share/volumes/fluent/etc/.\n```\n\nChange the environment variables to connect to the installed elasticsearch installation:\n\n```yaml\n     - name: fluentd\n        image: fluent/fluentd-kubernetes-daemonset:v1.1-debian-elasticsearch\n        env:\n          - name:  FLUENT_ELASTICSEARCH_HOST\n            value: \"192.168.178.65\"\n          - name:  FLUENT_ELASTICSEARCH_PORT\n            value: \"9200\"\n          - name: FLUENT_ELASTICSEARCH_SCHEME\n            value: \"http\"\n          - name: FLUENT_UID\n            value: \"0\"\n          - name: FLUENT_ELASTICSEARCH_USER # even if not used they are necessary\n            value: \"foo\"\n          - name: FLUENT_ELASTICSEARCH_PASSWORD # even if not used they are necessary\n            value: \"bar\"\n        resources:\n```\n\n#### Deployment\n\nApply the yaml configuration file:\n\n```bash\n$ kubectl apply -f fluentd-setup.yml\n```\n\nThere should be a `kube-logging` namespace, containing a volume (claim), a fluent pod and service account.\n\n### Debugging \n\nTo check the progress or to debug error messages, run the following command:\n\n```bash\n$ kubectl --namespace kube-logging logs fluent-[identifier] init-fluentd -f\n```\n\nThis will stream the init containers' stdout/stderr while installing the required gems.\nOmit `init-fluentd` to stream the logs of the actual container.\n\n## K8sCop\n\nK8sCop specifics are described [here](alert-system/README.md).\n\n## Security Dashboard\n\n### Preview\n\nAn overview of all requests made inside Kubernetes and a pie chart of user activity, computer by requests per user.\n\n![](images/dashboard1.png)\n\nA pie chart of the different types of alerts and an overview of the latest alerts made by K8sCop. \n\n![](images/dashboard2.png)\n\nAn overview of shell commands executed and kubectl interaction, with a list of attempts at secrets retrieval and requests that have been unauthorised. \n\n![](images/dashboard3.png)\n\nAn overview of privileged pod spawning. \n\n![](images/dashboard4.png)\n\n### Importing the Dashboard\n\n- Navigate to the management interface of Kibana\n- Go into Saved Objects\n- Import the json objects [file](configs/kibana/k8s-security-dashboard.json) \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk8scop%2Fk8s-security-dashboard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk8scop%2Fk8s-security-dashboard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk8scop%2Fk8s-security-dashboard/lists"}