paint-brush
Scan Kubernetes RBAC with Kubescape and Kubiscanby@viachaslaumatsukevich
1,862 reads
1,862 reads

Scan Kubernetes RBAC with Kubescape and Kubiscan

by Viachaslau MatsukevichNovember 2nd, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Scanning Kubernetes RBAC with Kubiscan; Install and configure Kubescape custom framework to scan RBAC related parameters. Exploring RBAC Visualizer queries.

Company Mentioned

Mention Thumbnail
featured image - Scan Kubernetes RBAC with Kubescape and Kubiscan
Viachaslau Matsukevich HackerNoon profile picture


Role-based access control (RBAC) in general is an approach to restricting system access to authorized users. Kubernetes role-based access control system is considered to be complex and hard to digest by many technology professionals. In the following article, we are going to explore Kubernetes ecosystem tools like Kubiscan and Kubescape that helps Cybersecurity professional and Kubernetes administrators to scan and evaluate RBAC. In the following scenarios, we will deploy the Google Kubernetes Engine GKE cluster and analyze its role-based access control by KubiScan and Kubescape.


Prerequisites

In the following scenario we will use Google Cloud and its managed Kubernetes cluster. However, you can scan RBAC model of any Kubernetes cluster using Linux machine with kubectl access to the cluster.

  • GCP account
  • Enable API for Google Kubernetes Engine APIs

Create a GKE cluster

For deployment of the cluster, we will use cloud shell and gcloud cli. Set up project ID for gcloud cli:

gcloud config set project PROJECT_ID

Following command will create cluster in the us-west1 region:

gcloud container clusters create-auto my-test-cluster \
    --region=us-west1


It should take a few minutes to spin up the cluster

Configure kubectl access with the following command:

gcloud container clusters get-credentials my-test-cluster  \
    --region us-west1


you can check GKE access by running kubectl commands



KubiScan

KubiScan is the open-source tool for scanning Kubernetes clusters for risky permissions in K8s RBAC (role-based access control) authorization model. KubiScan was created and maintained by CyberArk.


Installation

It can be run using a docker container or as a python script. For this tutorial, we will use Python3. On your Linux machine, run the following commands to install KubiScan prerequisites:

apt-get update  
apt-get install -y python3 python3-pip 
pip3 install -r requirements.txt  

For convenience, you can set up an alias to run the kubiscan python script:

alias kubiscan='python3 /<KubiScan_folder>/KubiScan.py'

If you want the alias to persist, add it to the .bashrc or .profile file in your user's home directory.

Scan

With KubiScan we can search for pods with privileged accounts:

kubiscan -rp

kubiscan -rp

In the output we can see gmp-operator pod in the gke-gmp-system namespace is marked with CRITICAL priority.

The following command will list risky subjects in your cluster:

kubiscan -rs

kubiscan -rs

To get information about all privileged Pods\Containers running in your Kubernetes cluster, run the following command:

kubiscan --privleged-pods


To get as much information as possible, you can run the kubiscan --all command. It will output “Risky Containers”, “Risky Users”, “Risky Roles and ClusterRoles”, “Risky RoleBindings and ClusterRoleBindings” tables.

kubiscan --all


kubiscan --all

KubiScan also allows you to list all pods with access to secret data through a Volume or environment variables:

kubiscan --pods-secrets-env
kubiscan -psv

You can find many more useful KubiScan commands in the “help” menu:

kubiscan -h

How KubiScan works

In the KubiScan repository, you can find the risky_roles.yaml file that contains opinionated templates for risky roles with priorities. KubiScan checks if the cluster roles match the rules from the risky role and mark it accordingly in the output spreadsheet.

You can modify the file to add\remove role templates that would be more appropriate in your environment.


Kubescape

Kubescape is an open-source swiss tool that provides RBAC visualizer, image vulnerability scanning risk analysis, and security compliance. Kubescape can detect RBAC violations, software vulnerabilities, and misconfigurations at the early stages of the CI/CD pipeline calculates risk score instantly and shows risk trends over time. It has native integrations with DevOps tools like CircleCi, Jenkins, GitLab CI\CD, GitHub Actions, etc. Kubescape was built and maintained by ARMO.

Kubescape has comprehensive docs available here


Installation

There are a few ways you can install Kubescape on Linux:


It is also available on Mac and Windows.


To quickly setup KubeScape on Linux with the install script, run the following command:

curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash


Scan

With the Kubescape ready, we can go ahead and scan the cluster:

kubescape scan


kubescape scan

Kubescape assess your cluster by different parameters, not only role based access control. You can see which control passed and failed. It will also demonstrate which resource failed in each test


In terms of RBAC, Kubescape helps simplifying Kubernetes role base access control

complexity by providing a visual graph that shows the RBAC configuration in your K8s cluster. There are lots of built-in queries of useful things you need to be aware of in your RBAC configuration available out of the box.

To use the Kubescape RBAC visualizer, you need to set up a free Kubescape Cloud Platform account. All scan results can be submitted to the platform.

Kubescape Cloud

Once you create the account, you can navigate to the “RBAC visualizer” in the left menu and copy the account ID. By running a scan with the account ID parameter, it will send all scan results to the Cloud Platform.

kubescape scan --submit --account=[account-id]

If you want to use just RBAC visualizer capabilities, and send only RBAC-related data, you can use the command below:

kubescape submit rbac --account [account-id]


In the Kubescape Cloud, navigate to the “RBAC Visualizer“ on the left menu. In the pop-up menu select your k8s cluster. After that, you should be able to see your cluster RBAC visualized.


RBAC Visualizer



RBAC Visualizer zoomed

You can change the view using built-in queries and select “layout by type”:

Group by verbs:

The following built-in query can show “who-can exec into pods”:

If you don’t want your scan results to be submitted to ARMO, you should add --keep-local

flag if you used the --submit command before. This way you can get output printed in the console. Scan results can also be outputted in JSON, PDF, HTML, and many other formats, which is really convenient for CI\CD pipelines and automation.


Kubescape custom framework

Kubescape allows you to scan your cluster against popular frameworks like NSA, MITRE, CIS, and others. It also allows you to create your custom framework. There are tens of controls available to be used in any framework. Each control tests a certain aspect of the cluster.


We can set up a custom framework that will check only RBAC-related things. To do that, navigate to the Configuration scanning in the left menu, select “Frameworks”, and click on “Customize your own Framework”.

Specify “Framework Name”. Then, search and select RBAC-related controls using the “Search” section. Once ready, click “Apply”.


Custom framework

Once the custom RBAC framework is set up in the cloud platform, we can run a scan using kubescape cli:

kubescape scan framework rbac

kubescape scan framework rbac

Each line in the spreadsheet represents control. In the “Failed resources” column, you can see the amount of failed resources.


Remediation and link to the documentation could be found in the console output if you add the--verbose flag.

kubescape scan framework rbac -v

kubescape scan framework rbac -v

In the output, you can see the URL which will redirect you to the scan result in the Kubescape Cloud.


Configuration scanning results of the scan in the Kubescape cloud

You can see the suggested remediation action in the “Remediation” column. In the “Resources” section, you will see a list of all your cluster resources.

Resources view in the Configuration Scanning

If you click on the small “tool” icon at the right of the “EndpointSlice” line, it will redirect to the YAML definition of the resource with highlighted lines that failed the control. In this example, CIS-5.7.4 control complaining about the default namespace.

YAML definition of the K8s resource with potential issue highlighted

As you can see, Kubescape provides really detailed suggested remediation action along with additional documentation to make a weighted decision about the risk it found.

Summary

We explored 2 instruments that could be used by Kubernetes Administrators or Cyber security professionals to analyze and assess the role-based access control (RBAC) of the Kubernetes cluster. KubiScan is a dedicated tool for RBAC analysis that could be easily customizable using risky_roles.yaml file. On the other hand, we have Kubescape which provides a much more comprehensive analysis of the K8s cluster beside RBAC with a fancy Kubescape cloud platform and RBAC visualizer. Kubescape got a bigger community and is better maintained, it has integration with different platforms and popular DevOps tools.


From my perspective, Kubescape is the go-to tool for assessing the Kubernetes cluster and understanding its role-based access control. However, if you only need to scan the K8s RBAC model against a particular template or rule without anything else, you should try KubiScan.