Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chen-keinan/kube-beacon
Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
https://github.com/chen-keinan/kube-beacon
audit-checks cis-benchmark cis-kubernetes-benchmark cis-security k8s kube kube-beacon kube-bench kube-scan kubernetes scan
Last synced: 27 days ago
JSON representation
Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
- Host: GitHub
- URL: https://github.com/chen-keinan/kube-beacon
- Owner: chen-keinan
- License: apache-2.0
- Created: 2020-10-05T17:42:54.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-08-12T07:47:54.000Z (4 months ago)
- Last Synced: 2024-11-07T11:44:19.705Z (about 1 month ago)
- Topics: audit-checks, cis-benchmark, cis-kubernetes-benchmark, cis-security, k8s, kube, kube-beacon, kube-bench, kube-scan, kubernetes, scan
- Language: Go
- Homepage:
- Size: 19.2 MB
- Stars: 65
- Watchers: 3
- Forks: 7
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-software-supply-chain-security - chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
README
[![Go Report Card](https://goreportcard.com/badge/github.com/chen-keinan/beacon)](https://goreportcard.com/report/github.com/chen-keinan/beacon)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/chen-keinan/beacon/blob/main/LICENSE)
[![Build Status](https://travis-ci.com/chen-keinan/kube-beacon.svg?branch=main)](https://travis-ci.com/chen-keinan/kube-beacon)
[![Coverage Status](https://coveralls.io/repos/github/chen-keinan/kube-beacon/badge.svg?branch=main)](https://coveralls.io/github/chen-keinan/kube-beacon?branch=main)
[![Gitter](https://badges.gitter.im/kube-beacon/community.svg)](https://gitter.im/kube-beacon/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)# Kube-Beacon Project
### Scan your kubernetes runtime !!
Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.The audit tests are the full implementation of [CIS Kubernetes Benchmark specification](https://www.cisecurity.org/benchmark/kubernetes/)
NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)
#### Audit checks are performed on master and worker nodes and the output audit report include :
* root cause of the security issue
* proposed remediation for security issue#### kubernetes cluster audit scan output:
![k8s audit](./pkg/images/beacon.gif)* [Installation](#installation)
* [Quick Start](#quick-start)
* [Kube-beacon as Docker](#Kube-beacon-as-Docker)
* [Kube-beacon as pod in k8s](#Kube-beacon-as-pod-in-k8s)
* [User Plugin Usage](#user-plugin-usage)
* [Next steps](#Next-steps)## Installation
```sh
git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
```- Note: kube-beacon require root user to be executed
## Quick Start
Execute kube-eacon without any flags , execute all tests
```
./kube-beacon```
Execute kube-beacon with flags , execute test on demand
```
Usage: kube-Beacon [--version] [--help] []Available commands are:
-r , --report : run audit tests and generate failure report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-n , --node: execute audit tests on specific node, example -n=master,-n=worker
-s , --spec: execute specific audit tests spec, example -s=gke, default=k8s
-v , --version: execute specific audit tests spec version, example -v=1.1.0,default=1.6.0
```Execute tests and generate failure tests report
```
./kube-beacon -r
```## Kube-beacon as pod in k8s
- Execute kube beacon as a pod in k8s cluster
- Add cluster role binding with role=cluster-admin
```
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
```
```
cd jobs
```
- simple k8s cluster run following job```
kubectl apply -f k8s.yaml
```- gke cluster run the following job
```
kubectl apply -f gke.yaml
```- Check k8s pod status
```
kubectl get pods --all-namespacesNAMESPACE NAME READY STATUS RESTARTS AGE
default kube-beacon-sc8g9 0/1 Completed 0 111s
kube-system event-exporter-gke-8489df9489-skcvv 2/2 Running 0 7m24s
kube-system fluentd-gke-7d5sl 2/2 Running 0 7m6s
kube-system fluentd-gke-f6q5d 2/2 Running 0 6m59s
```- Check k8s pod audit output
```
kubectl logs kube-beacon-sc8g9
```- cleanup (remove role and delete pod)
```
kubectl delete clusterrolebinding default-admin
```
```
kubectl delete -f k8s.yaml
```## User Plugin Usage
The Kube-Beacon expose hook for user plugins [Example](https://github.com/chen-keinan/kube-beacon/tree/master/examples/plugins) :
- **K8sBenchAuditResultHook** - this hook accepts audit benchmark results as found by audit report##### Compile user plugin
```
go build -buildmode=plugin -o=~//bench_plugin.so //bench_plugin.go
```
##### Copy plugin to folder (.beacon folder is created on the 1st startup)
```
cp //bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so
```
Note: Plugin and binary must compile with the same linux env
## Next steps
- Add support for Amazon EKS scanning