Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chen-keinan/kube-beacon

Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification
https://github.com/chen-keinan/kube-beacon

audit-checks cis-benchmark cis-kubernetes-benchmark cis-security k8s kube kube-beacon kube-bench kube-scan kubernetes scan

Last synced: 9 days ago
JSON representation

Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification

Host: GitHub
URL: https://github.com/chen-keinan/kube-beacon
Owner: chen-keinan
License: apache-2.0
Created: 2020-10-05T17:42:54.000Z (about 4 years ago)
Default Branch: main
Last Pushed: 2024-08-12T07:47:54.000Z (3 months ago)
Last Synced: 2024-10-15T21:40:57.912Z (24 days ago)
Topics: audit-checks, cis-benchmark, cis-kubernetes-benchmark, cis-security, k8s, kube, kube-beacon, kube-bench, kube-scan, kubernetes, scan
Language: Go
Homepage:
Size: 19.2 MB
Stars: 65
Watchers: 3
Forks: 7
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-software-supply-chain-security - chen-keinan/kube-beacon: Open Source runtime scanner for k8s cluster and perform security audit checks based on CIS Kubernetes Benchmark specification

README

[![Go Report Card](https://goreportcard.com/badge/github.com/chen-keinan/beacon)](https://goreportcard.com/report/github.com/chen-keinan/beacon)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/chen-keinan/beacon/blob/main/LICENSE)
[![Build Status](https://travis-ci.com/chen-keinan/kube-beacon.svg?branch=main)](https://travis-ci.com/chen-keinan/kube-beacon)
[![Coverage Status](https://coveralls.io/repos/github/chen-keinan/kube-beacon/badge.svg?branch=main)](https://coveralls.io/github/chen-keinan/kube-beacon?branch=main)
[![Gitter](https://badges.gitter.im/kube-beacon/community.svg)](https://gitter.im/kube-beacon/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)

# Kube-Beacon Project
### Scan your kubernetes runtime !!
Kube-Beacon is an open source audit scanner who perform audit check on a deployed kubernetes cluster and output a security report.

The audit tests are the full implementation of [CIS Kubernetes Benchmark specification](https://www.cisecurity.org/benchmark/kubernetes/)

NEW !! audit result now can be leveraged as webhook via user plugin(using go plugin)
#### Audit checks are performed on master and worker nodes and the output audit report include :
* root cause of the security issue
* proposed remediation for security issue

#### kubernetes cluster audit scan output:
![k8s audit](./pkg/images/beacon.gif)

* [Installation](#installation)
* [Quick Start](#quick-start)
* [Kube-beacon as Docker](#Kube-beacon-as-Docker)
* [Kube-beacon as pod in k8s](#Kube-beacon-as-pod-in-k8s)
* [User Plugin Usage](#user-plugin-usage)
* [Next steps](#Next-steps)

## Installation

```sh
git clone https://github.com/chen-keinan/kube-beacon
cd kube-beacon
make build
```

- Note: kube-beacon require root user to be executed

## Quick Start

Execute kube-eacon without any flags , execute all tests
```
./kube-beacon

```

Execute kube-beacon with flags , execute test on demand

```
Usage: kube-Beacon [--version] [--help] []

Available commands are:
-r , --report : run audit tests and generate failure report
-i , --include: execute only specific audit test, example -i=1.2.3,1.4.5
-e , --exclude: ignore specific audit tests, example -e=1.2.3,1.4.5
-n , --node: execute audit tests on specific node, example -n=master,-n=worker
-s , --spec: execute specific audit tests spec, example -s=gke, default=k8s
-v , --version: execute specific audit tests spec version, example -v=1.1.0,default=1.6.0
```

Execute tests and generate failure tests report

```
./kube-beacon -r
```

## Kube-beacon as pod in k8s

- Execute kube beacon as a pod in k8s cluster

- Add cluster role binding with role=cluster-admin
```
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
```
```
cd jobs
```
- simple k8s cluster run following job

```
kubectl apply -f k8s.yaml
```

- gke cluster run the following job

```
kubectl apply -f gke.yaml
```

- Check k8s pod status
```
kubectl get pods --all-namespaces

NAMESPACE NAME READY STATUS RESTARTS AGE
default kube-beacon-sc8g9 0/1 Completed 0 111s
kube-system event-exporter-gke-8489df9489-skcvv 2/2 Running 0 7m24s
kube-system fluentd-gke-7d5sl 2/2 Running 0 7m6s
kube-system fluentd-gke-f6q5d 2/2 Running 0 6m59s
```

- Check k8s pod audit output
```
kubectl logs kube-beacon-sc8g9
```

- cleanup (remove role and delete pod)
```
kubectl delete clusterrolebinding default-admin
```
```
kubectl delete -f k8s.yaml
```

## User Plugin Usage
The Kube-Beacon expose hook for user plugins [Example](https://github.com/chen-keinan/kube-beacon/tree/master/examples/plugins) :
- **K8sBenchAuditResultHook** - this hook accepts audit benchmark results as found by audit report

##### Compile user plugin
```
go build -buildmode=plugin -o=~//bench_plugin.so //bench_plugin.go
```
##### Copy plugin to folder (.beacon folder is created on the 1st startup)
```
cp //bench_plugin.so ~/.beacon/plugins/compile/bench_plugin.so
```
Note: Plugin and binary must compile with the same linux env
## Next steps
- Add support for Amazon EKS scanning