search

projectcapsule / capsule

Multi-tenancy and policy-based framework for Kubernetes.
https://projectcapsule.dev/
Apache License 2.0
1.62k stars 157 forks source link

Evaluate needed security measures as defined in Kubernetes Hardening Guidance #405

Open ptx96 opened 3 years ago

ptx96 commented 3 years ago

Background

The Kubernetes Hardening Guidance by NSA and CISA details recommendations to harden Kubernetes systems;

while some security measures depend on the target cluster and its architecture, others are closely related to containers and Pods, due to possible vulnerabilities, misconfiguration, and wrong privileges.

Proposal

To speed up the recognition and fix of possible breaches, we could test the armosec/kubescape utility against the namespace of a freshly installed capsule;

then, consider which actions to take and which to exclude as out of scope/unrepairable.

Tests Output

Cluster scan:

Namespaces:

capsule-cluster-nsa-2021-10-29.log capsule-cluster-mitre-2021-10-29.log

Preview

NSA

image

Resources affected:

ALL RESOURCES RESOURCE NAME NAMESPACE FAILED CONTROLS
ClusterRole cluster-admin   C-0035 , C-0002
ClusterRole admin   C-0002
ClusterRoleBinding capsule-manager-rolebinding   C-0035 , C-0002
ClusterRoleBinding cluster-admin   C-0035 , C-0002
ConfigMap kube-root-ca.crt tenant-security-ns C-0012
ConfigMap kube-root-ca.crt capsule-system C-0012
Deployment capsule-controller-manager capsule-system C-0017 , C-0055 , +1
Namespace capsule-system   C-0011
RoleBinding namespace:admin tenant-security-ns C-0002
ServiceAccount default capsule-system C-0034
ServiceAccount default tenant-security-ns C-0034
ServiceAccount capsule capsule-system C-0034
MITRE

image

Resources affected:

ALL RESOURCES RESOURCE NAME NAMESPACE FAILED CONTROLS
ClusterRole system:controller:pod-garbage-collector   C-0007
ClusterRole system:kube-controller-manager   C-0015 , C-0007
ClusterRole admin   C-0002 , C-0015 , +1
ClusterRole system:controller:resourcequota-controller   C-0015
ClusterRole system:kube-scheduler   C-0007
ClusterRole system:controller:statefulset-controller   C-0007
ClusterRole system:controller:job-controller   C-0007
ClusterRole system:controller:daemon-set-controller   C-0007
ClusterRole system:controller:expand-controller   C-0015
ClusterRole system:controller:namespace-controller   C-0015 , C-0031 , +1
ClusterRole system:controller:horizontal-pod-autoscaler   C-0015
ClusterRole system:controller:deployment-controller   C-0007
ClusterRole system:controller:replication-controller   C-0007
ClusterRole system:controller:persistent-volume-binder   C-0015 , C-0007
ClusterRole system:controller:node-controller   C-0007
ClusterRole system:controller:ttl-after-finished-controller   C-0007
ClusterRole system:controller:replicaset-controller   C-0007
ClusterRole capsule-proxy-role   C-0053
ClusterRole system:controller:generic-garbage-collector   C-0015 , C-0031 , +1
ClusterRole system:controller:cronjob-controller   C-0007
ClusterRole local-path-provisioner-role   C-0007
ClusterRole cluster-admin   C-0053 , C-0035 , +4
ClusterRoleBinding system:controller:ttl-after-finished-controller   C-0007
ClusterRoleBinding system:controller:deployment-controller   C-0007
ClusterRoleBinding system:controller:cronjob-controller   C-0007
ClusterRoleBinding system:controller:namespace-controller   C-0015 , C-0031 , +1
ClusterRoleBinding system:controller:expand-controller   C-0015
ClusterRoleBinding system:controller:statefulset-controller   C-0007
ClusterRoleBinding system:controller:node-controller   C-0007
ClusterRoleBinding system:controller:persistent-volume-binder   C-0015 , C-0007
ClusterRoleBinding system:controller:daemon-set-controller   C-0007
ClusterRoleBinding system:controller:horizontal-pod-autoscaler   C-0015
ClusterRoleBinding system:controller:job-controller   C-0007
ClusterRoleBinding system:controller:replication-controller   C-0007
ClusterRoleBinding system:controller:pod-garbage-collector   C-0007
ClusterRoleBinding system:controller:resourcequota-controller   C-0015
ClusterRoleBinding system:kube-scheduler   C-0007
ClusterRoleBinding local-path-provisioner-bind   C-0007
ClusterRoleBinding capsule-manager-rolebinding   C-0053 , C-0035 , +4
ClusterRoleBinding cluster-admin   C-0035 , C-0002 , +3
ClusterRoleBinding system:controller:generic-garbage-collector   C-0015 , C-0031 , +1
ClusterRoleBinding system:controller:replicaset-controller   C-0007
ClusterRoleBinding capsule-proxy-rolebinding   C-0053
ClusterRoleBinding system:kube-controller-manager   C-0015 , C-0007
ConfigMap kube-root-ca.crt capsule-system C-0012
ConfigMap kube-root-ca.crt tenant-security-ns C-0012
Deployment capsule-controller-manager capsule-system C-0053
MutatingWebhookConfiguration capsule-mutating-webhook-configuration   C-0039
Namespace capsule-system   C-0054 , C-0049
RoleBinding namespace:admin tenant-security-ns C-0002 , C-0015 , +1
ValidatingWebhookConfiguration capsule-validating-webhook-configuration   C-0036

HELM Charts scan:

capsule-helm-nsa-2021-10-29.log capsule-helm-mitre-2021-10-29.log

Test parameters

prometherion commented 3 years ago

@ptx96 can you run the test suite again excluding the Capsule Namespace and update the comment with the new results?

We can ignore the capsule-system Namespace since our Operators has to act as cluster admin.

ptx96 commented 3 years ago

Added more tests to the issue description.

@ptx96 can you run the test suite again excluding the Capsule Namespace and update the comment with the new results?

In this way, only cluster-wide resources have been retrieved (probably out of scope).

We can ignore the capsule-system Namespace since our Operators has to act as cluster admin.

I don't think we should ignore capsule-system namespace, because we'd lose focus on some interesting checks.

bsctl commented 3 years ago

@maxgio92 could you please take care of this along with @ptx96 ?

ptx96 commented 3 years ago

I spinned up a new round of control of clusters and charts after kubescape and capsule has been updated to the most recent version.

We should discuss which elements need to be excluded from scrutiny as impossible to circumvent (risk acceptance);

furthermore, it would be useful to put these controls inside capsule github actions CI

@bsctl @prometherion WDYT?

alegrey91 commented 3 years ago

Guys, let's consider to use also this tool from aquasec: https://github.com/aquasecurity/kube-bench

ptx96 commented 3 years ago

Guys, let's consider to use also this tool from aquasec: https://github.com/aquasecurity/kube-bench

Nice catch @alegrey91!

These controls, however, are very good when focused on kubernetes post-deployment hardening, while as regards kubernetes resources, kube-bench will only show manual check that the operator should perform as described in the policy config (among other things still stopped at kubernetes v1.20 with PSP)

image

Anyway, we should consider it during paas steps.