Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/k8scop/k8s-security-dashboard
A security monitoring solution for Kubernetes
https://github.com/k8scop/k8s-security-dashboard
kubernetes security-monitoring security-tools
Last synced: 26 days ago
JSON representation
A security monitoring solution for Kubernetes
- Host: GitHub
- URL: https://github.com/k8scop/k8s-security-dashboard
- Owner: k8scop
- License: gpl-3.0
- Created: 2019-01-29T18:55:43.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2023-10-18T01:49:10.000Z (about 1 year ago)
- Last Synced: 2024-03-15T08:40:31.311Z (9 months ago)
- Topics: kubernetes, security-monitoring, security-tools
- Language: Python
- Homepage:
- Size: 2.5 MB
- Stars: 128
- Watchers: 6
- Forks: 23
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-k8s-security - k8s-security-dashboard
- awesome-cloud-native - k8s-security-dashboard - A security monitoring solution for Kubernetes. (Security)
- awesome-hacking-lists - k8scop/k8s-security-dashboard - A security monitoring solution for Kubernetes (Python)
README
# Kubernetes Security Dashboard
This guide assists in configuring a logging architecture for Kubernetes, meant to store and parse audit logs. After setting up the logging architecture, run K8sCop for static or streaming analysis, and import the security dashboard in Kibana to obtain full visibility over Kubernetes cluster activity.
- [Kubernetes Security Dashboard](#kubernetes-security-dashboard)
- [TL;DR](#tldr)
- [Big Picture](#big-picture)
- [Installation](#installation)
- [kube-apiserver arguments](#kube-apiserver-arguments)
- [Setting up Elasticsearch and Kibana](#setting-up-elasticsearch-and-kibana)
- [Deploying fluent](#deploying-fluent)
- [Preparation](#preparation)
- [Deployment](#deployment)
- [Debugging](#debugging)
- [K8sCop](#k8scop)
- [Security Dashboard](#security-dashboard)
- [Preview](#preview)
- [Importing the Dashboard](#importing-the-dashboard)## TL;DR
- Make the `kube-apiserver` store audit logs
- Set up Elasticsearch and Kibana outside or inside Kubernetes
- Deploy the Fluent daemon to push logs to Elasticsearch
- Run K8sCop for static or streaming analysis of logs and labelling of events
- Import and view the Security Dashboard in Kibana## Big Picture
![](images/diagram.png)
## Installation
### kube-apiserver arguments
The `kube-apiserver` has the possiblity to keep and store audit logs. By adding the following arguments to the `/etc/kubernetes/manifests/kube-apiserver.yaml` file:
```bash
containers:
- command:
- kube-apiserver
[arguments]
- --audit-policy-file=/etc/kubernetes/policies/adv-audit.yaml
- --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log
- --audit-log-format=json
[arguments]
volumeMounts:
[options]
- mountPath: /etc/kubernetes/policies
name: policies
readOnly: true
- mountPath: /var/log/kubernetes
[options]
- hostPath:
path: /etc/kubernetes/policies
type: DirectoryOrCreate
name: policies
- hostPath:
path: /var/log/kubernetes
type: DirectoryOrCreate
name: var-log-kubernetes
```An example configuration file can be found [here](configs/kubernetes/kube-apiserver.yaml). Create the `policies` directory in `/etc/kubernetes` and copy [this yaml file](configs/kubernetes/adv-audit.yaml) to the newly created directory.
### Setting up Elasticsearch and Kibana
Follow this very nice and detailed guide on [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-16-04).
### Deploying fluent
#### Preparation
Create the mount directory for the fluent configuration:
```bash
# mkdir -p /var/share/volumes/fluent/etc
```Add the files from the `configs/fluent` folder:
```bash
# cp entrypoint.sh Gemfile /var/share/volumes/fluent/.
# cp fluent.conf /var/share/volumes/fluent/etc/.
```Change the environment variables to connect to the installed elasticsearch installation:
```yaml
- name: fluentd
image: fluent/fluentd-kubernetes-daemonset:v1.1-debian-elasticsearch
env:
- name: FLUENT_ELASTICSEARCH_HOST
value: "192.168.178.65"
- name: FLUENT_ELASTICSEARCH_PORT
value: "9200"
- name: FLUENT_ELASTICSEARCH_SCHEME
value: "http"
- name: FLUENT_UID
value: "0"
- name: FLUENT_ELASTICSEARCH_USER # even if not used they are necessary
value: "foo"
- name: FLUENT_ELASTICSEARCH_PASSWORD # even if not used they are necessary
value: "bar"
resources:
```#### Deployment
Apply the yaml configuration file:
```bash
$ kubectl apply -f fluentd-setup.yml
```There should be a `kube-logging` namespace, containing a volume (claim), a fluent pod and service account.
### Debugging
To check the progress or to debug error messages, run the following command:
```bash
$ kubectl --namespace kube-logging logs fluent-[identifier] init-fluentd -f
```This will stream the init containers' stdout/stderr while installing the required gems.
Omit `init-fluentd` to stream the logs of the actual container.## K8sCop
K8sCop specifics are described [here](alert-system/README.md).
## Security Dashboard
### Preview
An overview of all requests made inside Kubernetes and a pie chart of user activity, computer by requests per user.
![](images/dashboard1.png)
A pie chart of the different types of alerts and an overview of the latest alerts made by K8sCop.
![](images/dashboard2.png)
An overview of shell commands executed and kubectl interaction, with a list of attempts at secrets retrieval and requests that have been unauthorised.
![](images/dashboard3.png)
An overview of privileged pod spawning.
![](images/dashboard4.png)
### Importing the Dashboard
- Navigate to the management interface of Kibana
- Go into Saved Objects
- Import the json objects [file](configs/kibana/k8s-security-dashboard.json)