https://github.com/chen-keinan/mesh-kridik

mesh-kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
https://github.com/chen-keinan/mesh-kridik

istio kubernetes kubernetes-cluster opa open-policy-agent open-source policy scanner security service-mesh

Last synced: 4 months ago
JSON representation

mesh-kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

• Host: GitHub
• URL: https://github.com/chen-keinan/mesh-kridik
• Owner: chen-keinan
• License: apache-2.0
• Created: 2021-10-04T08:00:54.000Z (about 4 years ago)
• Default Branch: master
• Last Pushed: 2024-12-09T16:56:32.000Z (10 months ago)
• Last Synced: 2025-04-20T05:32:35.790Z (6 months ago)
• Topics: istio, kubernetes, kubernetes-cluster, opa, open-policy-agent, open-source, policy, scanner, security, service-mesh
• Language: Go
• Homepage:
• Size: 39 MB
• Stars: 26
• Watchers: 1
• Forks: 5
• Open Issues: 6
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

          
[![Go Report Card](https://goreportcard.com/badge/github.com/chen-keinan/mesh-kridik)](https://goreportcard.com/report/github.com/chen-keinan/mesh-kridik)

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/chen-keinan/mesh-kridik/blob/main/LICENSE)

[![Go](https://github.com/chen-keinan/mesh-kridik/actions/workflows/go.yml/badge.svg?branch=master)](https://github.com/chen-keinan/mesh-kridik/actions/workflows/go.yml)



[![Gitter](https://badges.gitter.im/beacon-sec/mesh-kridik.svg)](https://gitter.im/beacon-sec/mesh-kridik?source=orgpage)





# mesh-kridik

Enhance your Kubernetes service mesh security !!

mesh-kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and outputs a security report

The security checks tests are the full implementation of [istio security best practices](https://istio.io/latest/docs/ops/best-practices/security/) 


The security checks performed on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules, and the output audit report includes:

the root cause of the security issue  and proposed remediation for the security issue.

![mesh kridik](./pkg/img/mesh-kridik-repo.gif)

* [Requirements](#requirements)

* [Installation](#installation)

* [Quick Start](#quick-start)

* [Istio Security Checks](#istio-security-checks)

* [User Plugin Usage](#user-plugin-usage)

* [Supported Spec](#supported-spec)

* [Contribution](#Contribution)

## Requirements

- Go 1.16+

- jq

- istio

## Installation

```shell

git clone https://github.com/chen-keinan/mesh-kridik

cd mesh-kridik

make build

```

- Note: mesh-kridik require root user to be executed

## Quick Start

Execute Mesh-Kridik without any flags , execute all tests

```shell

 ./mesh-kridik 

```

Execute mesh-kridik  with flags , execute test on demand

```shell

Usage: mesh-kridik [--version] [--help]  []

Available commands are:

  -r , --report : run security checks and generate remediation report

  -i , --include: execute only specific security check, example -i=1.1

  -e , --exclude: ignore specific security check,  example -e=1.1,2.0

 ```

Execute tests and generate failure tests report and it remediation's

```

./mesh-kridik -r

``` 

## Istio Security Checks

    Name

    Description

    Impact

     Mutual TLS 

     Istio  Mutual TLS proxies are configured in permissive mode by default 

     proxies will accept both mutual TLS and plaintext traffic

    Istio Safer Authorization Policy Patterns

     Use ALLOW-with-positive-matching or DENY-with-negative-match patterns

    These authorization policy patterns are safer because the worst result in the case of policy mismatch is an unexpected 403 rejection instead of an authorization policy bypass.

    path normalization in authorization policy

    The enforcement point for authorization policies is the Envoy proxy instead of the usual resource access point in the backend application

    A mismatch can lead to either unexpected rejection or a policy bypass

    TLS origination for egress traffic

    Use of DestinationRule on service ServiceEntry for egress traffic

    Not using TLS origination for egress traffic to an external service will be send with plain/text

    Protocol detection

    explicitly declare the service protocol

    miss detection may result in unexpected traffic behavior

    CNI support

    istio transparent traffic capture

    not al net traffic will not be capture

    overly broad hosts

    avoid overly broad hosts settings in Gateway

    may cause potential exposure of unexpected domains

    Restrict Gateway creation privileges

    restrict creation of Gateway resources to trusted cluster administrators

    may cause  creation of gateway by untrusted users

    Configure a limit on downstream connections

    Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections

    no limit on the number of downstream connections can cause exploited by a malicious actor

    Configure third party service account tokens

    It is recommended to configure 3rd party tokens Because the properties of the first party token are less secure

    first party token properties are less secure and might cause authentication breach

    Control Plane

    Istiod exposes a few unauthenticated plaintext ports for convenience by default

    exposes the XDS service port 15010 and debug port 8080 over unauthenticated  plaintext

    Data Plane

    The proxy exposes a variety of ports

    The applications running in the same pod as the proxy have access; there is no trust boundary between the sidecar and application

    Understand traffic capture limitations

    Securing egress traffic by setting the meshConfig.outboundTrafficPolicy.mode 

    external service access will not be controlled

## User Plugin Usage (via go plugins)

The Kube-kridik expose a hook for user plugins [Example](https://github.com/chen-keinan/mesh-kridik/tree/master/examples/plugins) :

- **MeshSecurityCheckResultHook** - this hook accepts k8s service mesh security checks results

##### Compile user plugin

```shell

go build -buildmode=plugin -o=~//.so ~//.go

```

##### Copy plugin to folder (.kube-kridik folder is created on the 1st startup)

```shell

cp ~//.so ~/.kube-kridik/plugins/compile/.so

```

## Supported Spec

The Kube-kridik support this specifications and can be easily extended:

- The full Istio service mesh best practices [istio security best practices](https://github.com/chen-keinan/mesh-kridik/tree/master/internal/security/mesh/istio)

this specs can be easily extended by amended the spec files under ```~/.mesh-kridik/security/mesh/istio``` folder

## Contribution

- code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)

- /.dev folder include vagrantfile to be used for development : [Dev Instruction](https://github.com/chen-keinan/mesh-kridik/tree/master/.dev)