Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

The top 11 open-source Kubernetes security tools

It’s a good idea to consider a range of Kubernetes security tools. Open source solutions can greatly improve the security of your Kubernetes clusters, so this section explores the top 11 open-source Kubernetes security tools that can help to safeguard your Kubernetes environment.

9 minutes read

Kubernetes security: A refresher

As its adoption surges, more organizations are turning their attention to Kubernetes security, working to fortify their clusters against potential threats. It’s a good instinct. The open-source nature of Kubernetes makes it a lucrative target for attackers aiming to exploit vulnerabilities to breach systems. A secure Kubernetes environment ensures the confidentiality, integrity, and availability of applications, safeguarding business assets and data from unauthorized access. Before turning to an action plan for a robust Kubernetes environment, let’s start by taking a look at some common risks, critical components to secure, and challenges.

Common vulnerabilities and threats in Kubernetes environments

Kubernetes environments are susceptible to a range of threats, inclu

ding but not limited to:

  • API vulnerabilities: Misconfigured APIs can expose sensitive data and grant unauthorized access.

  • Container vulnerabilities: Containers can carry malware and become a gateway for attackers.

  • Insecure configurations: Default configurations might not be secure, leaving the system vulnerable to attacks.

Understanding these vulnerabilities is just the first step. It's equally important to know which components need safeguarding to mitigate these risks. This is where Kubernetes security testing tools play a crucial role, helping organizations identify and address potential vulnerabilities before they can be exploited.

Components and domains to secure in Kubernetes

Securing various components and domains in Kubernetes is essential to build a strong security posture. Here are the most critical areas:

  • Nodes and kubelet: Ensure nodes are configured securely and that kubelet, the primary node agent, is safeguarded against unauthorized access.

  • API server: The API server is the gateway to the Kubernetes control plane. Secure it by enforcing strict authentication and authorization policies.

  • etcd: As a key-value store holding all Kubernetes cluster data, etcd should be protected with strong encryption to prevent data tampering.

  • Network: Implement network policies to control traffic flow between pods/containers, mitigating the risk of network attacks.

  • Workloads (pods, deployments, etc.): Secure workloads by adhering to the principle of least privilege, granting only necessary permissions to applications.

  • Secrets and ConfigMaps: Protect sensitive data stored in Secrets and ConfigMaps through encryption and access controls.

Challenges in Kubernetes security

Securing a Kubernetes environment is no easy task. There are many challenges, including:

  • Misconfigurations: Simple errors in configuration can open up significant vulnerabilities.

  • Inadequate network policies: Lax network policies can allow unauthorized access to network resources.

  • Lack of resource isolation: Failure to isolate resources can result in cross-contamination and data breaches.

  • Insufficient monitoring and logging: Detecting and responding to threats becomes increasingly more complicated without proper monitoring.

How security tools can help

In the face of these challenges, security tools come to the rescue. Among other benefits, security tools can offer:

  • Automated security checks: When the process of identifying vulnerabilities is automated, you save time and reduce the risk of human error.

  • Policy enforcement: Security tools help set and enforce policies to keep the Kubernetes environment safe.

  • Real-time threat detection: Leveraging real-time monitoring tools facilitates quick threat detection and mitigation.

  • Compliance assurance: Use tools to make sure that Kubernetes clusters comply with industry standards and regulations, fostering trust with stakeholders.

Kubernetes security tools

It’s a good idea to consider a range of Kubernetes security tools. Open source solutions can greatly improve the security of your Kubernetes clusters, so this section explores the top 11 open-source Kubernetes security tools that can help to safeguard your Kubernetes environment.

Configuration and compliance scanners

Configuration and compliance scanners are indispensable tools in the Kubernetes ecosystem. They scan Kubernetes configurations for security misconfigurations and ensure compliance with best practices, acting as the first line of defense against potential security breaches.

kube-bench

kube-bench is an open-source tool that verifies the secure deployment of Kubernetes based on the CIS Kubernetes Benchmark guidelines. With its YAML-configured tests, updating the tool as standards change is straightforward:

Figure 1: kube-bench report (Source: Github)
Use cases
Use CaseDescription
Cluster hardeningWith kube-bench, you can automatically check a cluster's setup against the security standards set by the CIS Benchmarks..
Policy enforcementVerify RBAC setup to make sure service accounts and users have minimal privileges. The tool also examines pod security practices and how secrets are managed.
Network segmentationkube-bench can check CNI and ensure every namespace has defined network policies.

Checkov

Checkov is a static code analysis tool built by Bridgecrew and maintained by Prisma Cloud. It scans cloud infrastructure configurations to identify security misconfigurations before deployment. Checkov supports a wide range of infrastructure as code (IaC) languages, including Terraform, CloudFormation, and Kubernetes YAML files. And it comes with built-in policies that adhere to best practices and lets you write custom policies in Python or YAML.

# Installing Checkov using pip
pip install checkov

# Running a Checkov scan on a specific file
checkov -f main.tf

# Running a Checkov scan on a directory
checkov --directory /user/path/to/iac/code

# Specifying a framework to scan (e.g., terraform, cloudformation, kubernetes)
checkov --framework kubernetes
Use cases
Use CaseDescription
Scanning Terraform files for misconfigurationsSpot and correct mistakes in Terraform files that might pose security and compliance threats. For instance, Checkov can detect if a sensitive resource is exposed to the public internet or if encryption or logging is not enabled for a storage bucket.
Scanning Kubernetes manifestsCheckov examines Kubernetes manifests for vulnerabilities and misconfigurations so that you can maintain a secure and compliant Kubernetes environment.

Terrascan

Terrascan is a tool that scans infrastructure as code (IaC) for potential issues. It checks for misconfigurations in IaC and keeps an eye on cloud setups for any changes that might weaken security. Before you set up cloud-native systems, Terrascan helps catch and fix security gaps and compliance breaches. You can use it on its own or add it to your CI/CD process. It works with many IaC languages, like Terraform, Kubernetes, and Dockerfile, and it’s compatible with cloud giants like AWS, Azure, and GCP.

Figure 2: Terrascan output (Source: Github)
Use cases
Use CaseDescription
Scanning Terraform files:Terrascan can review your Terraform files and highlight any discrepancies it detects. For instance, it can detect high-severity violations, such as when S3 bucket versioning is not enabled, simplifying recovery from unintended user actions.
Scanning Kubernetes manifestsAs we’ve seen, Terrascan is adept at scanning Kubernetes manifests to identify security and compliance policy violations.
Creating custom policiesYou can create custom policies using Rego, a declarative language for policy enforcement.

KubeLinter

KubeLinter is an open-source command-line tool that spots misconfigurations in Kubernetes objects. It reviews Kubernetes YAML files and Helm charts before they're deployed to a cluster. With 19 default checks and the option to add your own, KubeLinter quickly alerts you to any missteps or security breaches in Kubernetes. Developed using Go, KubeLinter requires minimal configuration and is easy to use in various command-line shells.

# Installing KubeLinter using Homebrew
brew install kube-linter

# Linting a single Kubernetes YAML file
kube-linter lint path/to/yaml-file.yaml

# Linting an entire directory and its subcontents
kube-linter lint path/to/directory/containing/yaml-files/

# Linting a Helm chart
kube-linter lint path/to/directory/containing/Chart.yaml-file/
Use cases
Use CaseDescription
Linting YAML filesKubeLinter can lint individual YAML files or entire directories containing YAML files, helping developers identify and fix misconfigurations and security violations before deploying them into a Kubernetes cluster.
Linting Helm chartsHelm charts, which package Kubernetes applications, can also be linted using KubeLinter to ensure they adhere to security best practices and are free from misconfigurations.
Custom checksCreate custom checks to enforce specific policies within your organization.

Runtime security and threat detection tools

Kubernetes runtime security tools are vital in monitoring Kubernetes clusters in real time to detect and respond to security threats. These tools provide an added layer of protection, ensuring that any malicious activities or anomalies are promptly identified and addressed, safeguarding the integrity of the cluster.

Falco

Falco is a cloud-native runtime security project initially created by Sysdig and now maintained by the Cloud Native Computing Foundation (CNCF). It leverages system calls at the kernel level to monitor the runtime behavior of a system, integrating metadata from container runtime and Kubernetes to clarify what's happening. Falco can detect abnormal behavior and potential security threats in real time, offering a powerful rules engine to assert the stream of syscalls and alert users when rules are violated.

Figure 3: Falco overview (Source: Sysdig Blog)
Use cases
Use CaseDescription
Compliance with industry regulationsFalco can help organizations comply with industry regulations and align with security frameworks like PCI, DSS, and NIST by actively detecting misconfigurations and threats in real time.
Monitoring legacy and cloud-native infrastructuresFalco monitors both legacy infrastructures and modern cloud-native environments, including containers and Kubernetes, ensuring a secure operational landscape.
Custom detectionsYou can add custom detections to Falco, enhancing its ability to identify a broader range of threats and misconfigurations and tailoring the tool to meet your specific security needs.

kube-hunter

kube-hunter, created by Aqua Security, is an open-source tool that searches for security gaps in Kubernetes clusters. It can be run in different modes to simulate various attack scenarios and identify potential vulnerabilities from both outside and inside the cluster. kube-hunter offers a range of scanning options—including remote scanning, interface scanning, and network scanning—to provide a comprehensive view of the security posture of your Kubernetes setup.

# Running kube-hunter remotely
kube-hunter --remote some.node.com

# Running kube-hunter on all machine's network interfaces
kube-hunter --interface

# Running kube-hunter on a specific CIDR
kube-hunter --cidr 192.168.0.0/24

# Running kube-hunter actively to exploit vulnerabilities it finds
kube-hunter --remote some.domain.com --active
Use cases
Use CaseDescription
Remote scanningRun kube-hunter remotely to get a glimpse of an attacker's view of your Kubernetes setup, and identify vulnerabilities that can be exploited from outside the cluster.
Interface scanningWhen run on all of a machine’s network interfaces, kube-hunter can identify potential vulnerabilities accessible through different network paths.
Active huntingUse the active hunting feature to explore found vulnerabilities further, and gain deep insight into potential security risks.

Policy management and enforcement

Policy management and enforcement tools allow users to define and enforce security policies across Kubernetes clusters. These tools ensure consistent security standards, making it easier to maintain a secure and compliant environment throughout the cluster's lifecycle.

Open Policy Agent (OPA)

Open Policy Agent (OPA) is an open-source, versatile policy engine that streamlines policy application across different areas, such as microservices, Kubernetes, CI/CD processes, and API gateways. OPA allows you to specify policies as code using Rego. It can also easily connect with your software, making policy decisions based on various data inputs.This flexibility makes it a powerful tool for policy enforcement in a wide range of applications.

Figure 4: Admission Control Flow with OPA in Kubernetes (Source: OPA Docs)
Pro tip

Once a build has been approved, Kubernetes environments, container hosts, and clusters 
 should be hardened using Open Policy Agent (OPA)-based configuration rules and Kubernetes admission policies.

Learn more
Use cases
Use CaseDescription
Microservices policy enforcementOPA can be used to enforce policies in microservices, ensuring that only authorized users can access specific resources and that traffic is allowed only through secure channels.
Kubernetes securityOPA can work with Kubernetes to set policies on user access to resources, determine where a workload should be deployed, and specify which OS functions a container can run, among other tasks.
CI/CD pipelinesIn CI/CD pipelines, OPA can enforce policies that govern the deployment process, ensuring compliance with organizational and industry standards.

kubeaudit

kubeaudit helps you audit Kubernetes clusters for various security concerns, including the detection of misconfigurations and non-compliance with best practices. It's tailored for Red Hat OpenShift and can scan user code for recognized mismatches, assisting in resolving them before integrating the code into OpenShift. A static analyzer that is easy to use and extend, kubeaudit also offers a platform for community contributions to enhance its auditing capabilities.

# Example audit report of a YAML file with kubeaudit
$ kubeaudit all -f "deployment--v1.yml"

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: deployment
    namespace: deployment-v1

--------------------------------------------
...
-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
   Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.

-- [error] CapabilityShouldDropAll
   Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
   Metadata:
      Container: container
      Capability: AUDIT_WRITE
...
Use cases
Use CaseDescription
Identifying pod security admission issueskubeaudit can identify issues related to pod security configuration in manifests, and it also suggests resolutions.
NetworkPolicy analysisUse kubeaudit to analyze NetworkPolicy configurations and identify issues.
Custom auditsDevelopers can add custom audits to kubeaudit to meet specific organizational security needs with a simple initialization (INI) syntax, defining various fields to create a comprehensive audit that includes severity levels and diagnostic messages.

Network security and service mesh

Network security and service mesh tools provide network policies, segmentation, and service mesh capabilities to secure communications within Kubernetes. These tools play a crucial role in preventing unauthorized access and ensuring data integrity during transmission.

Calico

Calico is an open-source networking solution and network policy engine for containers. It operates at layer 3 of the networking stack, providing both networking and network policy for Kubernetes. The tool uses the Border Gateway Protocol (BGP) to handle packet routing to pods. Calico can be used as a standalone tool or in conjunction with others, like Flannel.

Calico also extends the features of the built-in Kubernetes NetworkPolicy API, allowing you to apply policies to a broader range of objects and offering more granular control over traffic flow in your Kubernetes environment.

# Example of allowing ingress traffic to endpoints in the production namespace with database label is permitted, only if it comes from a pod in the same namespace with backend label, on port 6379
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
  namespace: production
spec:
  selector: app == 'database'
  ingress:
    - action: Allow
      protocol: TCP
      source:
        selector: app == 'backend'
      destination:
        ports:
          - 6379
Use cases
Use CaseDescription
Enhanced network policiesCalico lets you create network policies that are more comprehensive than those available through the Kubernetes NetworkPolicy API, including the ability to specify actions (allow, deny, log) and to use a wider range of selectors and attributes in policy rules.
Integration with existing Kubernetes featuresCalico can be used alongside existing Kubernetes networking features, enhancing those features with its APIs to provide more flexible and robust network policy capabilities.
Multi-environment policiesFor consistent policy enforcement across different environments, Calico policies can be applied not just to pods but to a range of objects, including containers, virtual machines, and network interfaces.

Istio

Istio is a robust open-source service mesh designed for Kubernetes, facilitating the connection, security, management, and monitoring of services. It boasts features like traffic control, security measures, monitoring options, and adaptability.

Istio deploys a sidecar proxy (Envoy) with each service instance, so it can intercept and manage all incoming and outgoing traffic. This architecture enables Istio to enforce policies, collect telemetry, and facilitate advanced traffic routing patterns like canary deployments and circuit breaking.

Figure 5: Istio service connection overview (Source: Istio)
Use cases
Use CaseDescription
Traffic managementIstio's traffic management capabilities accommodate advanced routing patterns, such as directing traffic to different versions of a service based on request headers or weights. This is particularly useful for canary deployments and A/B testing.
SecurityIstio offers a strong security setup with features such as mutual TLS authentication between services, detailed access management, and identity checks, guaranteeing safe communication inside the cluster.
ObservabilityWith Istio, you gain deep insights into your service mesh with features like distributed tracing, monitoring, and logging, and the result is efficient debugging and performance optimization.

Exploit detection

Exploit detection tools identify potential escape techniques and exploits in Kubernetes environments. By actively monitoring and analyzing system behaviors, these tools play a pivotal role in preventing unauthorized breaches and ensuring the overall security of the environment.

Kubescape

Kubescape, developed by ARMO, is a Kubernetes security platform that’s a Cloud Native Computing Foundation (CNCF) sandbox project. The platform facilitates risk analysis, security compliance, and misconfiguration scanning in Kubernetes environments. Kubescape can check clusters, YAML files, and Helm charts, detecting misconfigurations using frameworks including NSA/CISA, MITRE ATT&CK®, and the CIS Benchmarks.

Figure 6: Kubescape scan output (Source: Kubescape Docs)
Use cases
Use CaseDescription
Risk analysisKubescape can perform risk analysis on your Kubernetes configurations, helping identify potential vulnerabilities and areas where best practices aren’t being followed.
Security complianceTo ensure compliance with various security frameworks, Kubescape provides detailed reports that help you understand your compliance status and areas where improvements are needed.
Automated scanning in CI/CD pipelinesBy integrating Kubescape into your CI/CD pipelines, you can automatically scan Kubernetes configurations and catch potential issues early in the development lifecycle.

Securing K8s across the entire development lifecycle

Securing Kubernetes (K8s) is a continuous process that spans the entire development lifecycle.

The importance of continuous security

Here’s why it’s critical to treat Kubernetes security as an ongoing priority, starting at the planning phase of your implementation:

  • Early detection of vulnerabilities: Integrating security from the outset translates directly to the early detection of Kubernetes vulnerabilities, reducing potential risks in later stages of development.

  • Cost-efficiency: Addressing security breaches post-deployment is an expensive process. Early security integrations are significantly more cost efficient.

  • Compliance with regulations: Continuous security ensures that your system adheres to the necessary regulatory compliances at all stages of development. By constantly monitoring and updating in response to evolving standards, it guarantees that the system remains in line with industry regulations. This proactive approach reduces the risk of non-compliance penalties and ensures that security measures are always up to date.

Risks of late-stage security implementations

  • Increased complexity: The later the development stage, the more complex security implementation becomes. That’s because accumulated data and configurations come with a lot of baggage, like dependencies and interconnected system components.

  • Potential security breaches: Late-stage security implementations mean your system has been vulnerable to attacks for an extended period.

  • Reputational damage: Don’t wait for a security breach to prioritize security. Cyberattacks can damage an organization's reputation, leading to a loss of trust among clients and stakeholders.

Wiz's container and Kubernetes security solution

While the tools covered in this blog post cater to many different aspects of Kubernetes security, Wiz stands out as a single–platform solution that’s specifically tailored for container and Kubernetes environments. Wiz empowers both security and development teams by providing visibility, context, and risk prioritization throughout the entire development lifecycle. Some of its standout features include:

  • Comprehensive security: Wiz offers a comprehensive security approach, covering all aspects of Kubernetes security to make sure you’re defended against potential threats.

  • Ease of integration: With seamless integration into existing systems, Wiz provides complete security coverage without disrupting your existing workflows.

  • Real-time monitoring: Wiz offers real-time monitoring of the entire Kubernetes environment, providing instant alerts for security breaches, so you can respond to threats fast.

Empower your developers to be more productive, from code to production

Learn why the fastest growing companies choose Wiz to secure containers, Kubernetes, and cloud environments from build-time to real-time.

Get a demo 

Other tool roundups you might be interested in:

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.