Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite

tl;dr You can now have Scout Suite scan not only your cloud environments, but your Kubernetes clusters. Just have your kubeconfig ready and run the following commands:

$ pip3 install --user https://github.com/nccgroup/ScoutSuite/archive/develop.zip
$ scout kubernetes

Background

NCC Group’s Container Orchestration Security Service (COSS) practice regularly conducts Kubernetes cluster configuration reviews spanning platform-managed Kubernetes clusters across different cloud platforms and self-hosted clusters.

As a first step, consultants delivering these assessments generally download target cluster resources for offline static analysis. To automate some of the more rote steps, we have several scripts and tools to batch together certain kubectl configuration gathering and analysis steps. These types of automations greatly increase the efficiency of an assessment, leaving more time for deeper manual review (and custom scripting), enabling overall greater depth and quality of coverage when assessing a cluster.

kubectl — and its raw output — is generally not that great to work with by itself. Additionally, from our use of open source Kubernetes security tooling, we have found the current overall tooling situation to be non-ideal, with most tooling spitting out text-based output to stdout and/or dot files for graphviz that must be rendered manually. To remedy this, we have been working to integrate our tooling and methodologies into Scout Suite, our open-source cloud environment scanner. This scanner has a mature output framework for reviewing environments efficiently.

 

Kubernetes Provider for Scout Suite (aka “Kubescout”)

Overall, the process for the static analysis phase of a Kubernetes cluster configuration review is similar to a cloud configuration review (e.g. for AWS, Azure, GCP, etc.), and Scout Suite already has a mature user interface for displaying most, if not all, resources pulled from a platform.

Thus the birth of Kubescout, a project to develop a Kubernetes cluster auditing feature integrated into Scout Suite.

How It Works

To audit a cluster, a kubeconfig file must be present on the file system that has Scout Suite installed. On a Linux host, the location is typically ~/.kube/config.

Using the cluster credentials, Kubescout first determines the cluster context and downloads all cluster resources from the cluster’s API endpoint; however, Kubescout will ensure that the actual values of Secrets are redacted before they are stored on disk. Additionally, if a supported cluster provider (currently EKS, GKE, and AKS) is given, it will also attempt to use the relevant platform credentials, if available, to download resources relevant to the cluster configuration review, such as control plane logging configurations.

After the relevant data is retrieved, it is aggregated and processed to be consumed by Scout Suite’s ruleset engine for finding generation and subsequently the user interface, which eventually becomes a static HTML page powered by custom Handlebars templates. No local web server is required to properly view the HTML page, although the addition of such functionality is part of Scout Suite’s own roadmap for improved performance and development flows.

With a graphical user interface, one can better navigate resources to better identify issues and reduce the rate of false positives. For example, finding hard-coded secrets in ConfigMap objects is easier. And unnecessarily privileged subjects are easier to detect (courtesy of Iain Smart, the COSS practice lead).

 

Kubescout additionally provides full support for custom resources, enabling not only review of their definitions (CRDs), but of the objects themselves, including for rule processing. This is important as the absence of obvious admission webhooks may belie the existence of an admission controller, that may otherwise be identified from the presence of custom resources.

Installation

Kubescout is currently enabled within the develop branch of the main Scout Suite repository. Users can clone and install the specific branch using the following commands. Installing the develop branch of Scout Suite in a virtual environment (e.g. virtualenv) is recommended as the branch is under active development.

$ # optionally use a virtualenv
$ virtualenv scoutsuite-develop
$ source scoutsuite-develop/bin/activate

$ # Scout Suite installation
$ git clone -b develop https://github.com/nccgroup/ScoutSuite.git
$ cd ScoutSuite
$ pip3 install .
$ scout kubernetes

Alternatively, you can also pip install the develop branch zip URL:

$ # optionally use a virtualenv
$ virtualenv scoutsuite-develop
$ source scoutsuite-develop/bin/activate

$ # Scout Suite installation
$ pip3 install https://github.com/nccgroup/ScoutSuite/archive/develop.zip
$ scout kubernetes

Usage

Kubescout uses several options to determine the cluster context for scanning:

–config-file KUBERNETES_CONFIG_FILE Name of the kube-config file. By default, it will use Kubernetes’ default directory.
–context KUBERNETES_CONTEXT Cluster context to scan. By default, current_context from config file will be used.
–do-not-persist-config If specified, config file will NOT be updated when changed (e.g GCP token refresh).

Specifying the cluster provider can be done through -c or --cluster-provider. The following options are supported at the moment:

  • eks
  • gke
  • aks

To scan the cluster, use the kubernetes subcommand such as below:

scout kubernetes

Future Work

This initial release of Kubernetes support for Scout Suite is a feature preview providing a base subset of rules, including CIS Benchmarks rules, and core integrations for building out futher Kubernetes security analyses and analysis UXs. We plan to continue our work on Kubescout and hope to introduce the following features in the future:

  • More rules for automatic issue detection, including for common third-party Kubernetes components
  • Better RBAC review UX
  • Data pagination for a smoother user experience
  • A dedicated (and off-by-default!) dynamic testing mode that can verify certain flagged issues

Conclusion

With this new Scout Suite functionality, we hope to ease the pain of anyone looking to gain some insight into the security posture of their cluster, or who simply wants to learn more about Kubernetes (and may be surprised to see what is in their cluster ;).

Scout Suite welcomes GitHub issues and pull requests. The --debug option can be used to print exceptions in detail during development. The -l option can be used to test custom Handlebars templates.

The project repository can be found here.

Special Thanks

  • Iain Smart (for all the internal tools he wrote)
  • Jennifer Fernick (for approving the research)
  • Jeff Dileo (for overseeing the research)
  • Fernando Gallego Piñero and Ricardo Martin Rodríguez from the Scout Suite team (for answering so many of my Scout Suite questions)