README
¶
Kubeaudit can now be used as both a command line tool (CLI) and as a Go package!
kubeaudit ☁ 🔒 💪
kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various
different security concerns, such as:
- run as non-root
- use a read-only root filesystem
- drop scary capabilities, don't add new ones
- don't run privileged
- and more!
tldr. kubeaudit makes sure you deploy secure containers!
Package
To use kubeaudit as a Go package, see the package docs.
The rest of this README will focus on how to use kubeaudit as a command line tool.
Command Line Interface (CLI)
Installation
Download a binary
Kubeaudit has official releases that are blessed and stable: Official releases
DIY build
Master will have newer features than the stable releases. If you need a newer feature not yet included in a release you can do the following to get kubeaudit:
For go 1.12 and higher:
GO111MODULE=on go get -v github.com/Shopify/kubeaudit
For older versions of go:
git clone https://github.com/Shopify/kubeaudit.git
cd kubeaudit
make
make install
Start using kubeaudit with the Quick Start or view all the supported commands.
Kubectl Plugin
Prerequisite: kubectl v1.12.0 or later
With kubectl v1.12.0 introducing easy pluggability of external functions, kubeaudit can be invoked as kubectl audit by
- running
make pluginand having$GOPATH/binavailable in your path.
or
- renaming the binary to
kubectl-auditand having it available in your path.
Quick Start
kubeaudit has three modes:
- Manifest mode
- Local mode
- Cluster mode
Manifest Mode
If a Kubernetes manifest file is provided using the -f/--manifest flag, kubeaudit will audit the manifest file.
Example command:
kubeaudit all -f "/path/to/manifest.yml"
Example output:
$ kubeaudit all -f auditors/all/fixtures/audit_all_v1.yml
ERRO[0000] AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/fakeContainerSC' should be added. AuditResultName=AppArmorAnnotationMissing Container=fakeContainerSC MissingAnnotation=container.apparmor.security.beta.kubernetes.io/fakeContainerSC
ERRO[0000] Default serviceAccount with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. AuditResultName=AutomountServiceAccountTokenTrueAndDefaultSA
WARN[0000] Image tag is missing. AuditResultName=ImageTagMissing Container=fakeContainerSC
WARN[0000] Resource limits not set. AuditResultName=LimitsNotSet Container=fakeContainerSC
ERRO[0000] runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two. AuditResultName=RunAsNonRootPSCNilCSCNil Container=fakeContainerSC
ERRO[0000] allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'. AuditResultName=AllowPrivilegeEscalationNil Container=fakeContainerSC
WARN[0000] privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'. AuditResultName=PrivilegedNil Container=fakeContainerSC
ERRO[0000] readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'. AuditResultName=ReadOnlyRootFilesystemNil Container=fakeContainerSC
ERRO[0000] Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added. AuditResultName=SeccompAnnotationMissing MissingAnnotation=seccomp.security.alpha.kubernetes.io/pod
ERRO[0000] Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities. AuditResultName=CapabilityNotDropped Capability=AUDIT_WRITE Container=fakeContainerSC
ERRO[0000] Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities. AuditResultName=CapabilityNotDropped Capability=CHOWN Container=fakeContainerSC
...
Autofix
Manifest mode also supports autofixing all security issues using the autofix command:
kubeaudit autofix -f "/path/to/manifest.yml"
To write the fixed manifest to a new file instead of modifying the source file, use the -o/--output flag.
kubeaudit autofix -f "/path/to/manifest.yml" -o "/path/to/fixed"
Local Mode
If a kubeconfig file is provided using the -c/--kubeconfig flag, kubeaudit will audit the resources specified in the kubeconfig file. If no kubeconfig file is specified, $HOME/.kube/config is used by default:
kubeaudit all -c "/path/to/config"
For more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
Cluster Mode
Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:
kubeaudit all
Commands
| Command | Description | Documentation |
|---|---|---|
all |
Runs all available auditors, or those specified using a kubeaudit config. | docs |
autofix |
Automatically fixes security issues. | docs |
Auditors
Auditors can also be run individually.
| Command | Description | Documentation |
|---|---|---|
apparmor |
Finds containers running without AppArmor. | docs |
asat |
Finds pods using an automatically mounted default service account | docs |
capabilities |
Finds containers that do not drop the recommended capabilities or add new ones. | docs |
hostns |
Finds containers that have HostPID, HostIPC or HostNetwork enabled. | docs |
image |
Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag. | docs |
limits |
Finds containers which exceed the specified CPU and memory limits or do not specify any. | docs |
mountds |
Finds containers that have docker socket mounted. | docs |
netpols |
Finds namespaces that do not have a default-deny network policy. | docs |
nonroot |
Finds containers running as root. | docs |
privesc |
Finds containers that allow privilege escalation. | docs |
privileged |
Finds containers running as privileged. | docs |
rootfs |
Finds containers which do not have a read-only filesystem. | docs |
seccomp |
Finds containers running without Seccomp. | docs |
Global Flags
| Short | Long | Description |
|---|---|---|
| -j | --json | Output audit results in JSON |
| -c | --kubeconfig | Path to local Kubernetes config file. Only used in local mode (default is $HOME/.kube/config) |
| -f | --manifest | Path to the yaml configuration to audit. Only used in manifest mode. |
| -n | --namespace | Only audit resources in the specified namespace. Only used in cluster mode. |
| -m | --minseverity | Set the lowest severity level to report (one of "ERROR", "WARN", "INFO") (default "INFO") |
Configuration File
Kubeaudit can be used with a configuration file instead of flags. See the all command.
Override Errors
Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce WARN results instead of ERROR results. The labels are documented in each auditor's documentation, but the general format for auditors that support overrides is as follows:
An override label consists of a key and a value.
The key is a combination of the override type (container or pod) and an override identifier which is unique to each auditor (see the docs for the specific auditor). The key can take one of two forms depending on the override type:
- Container overrides, which override the auditor for that specific container, are formatted as follows:
container.audit.kubernetes.io/[container name].[override identifier]
- Pod overrides, which override the auditor for all containers within the pod, are formatted as follows:
audit.kubernetes.io/pod.[override identifier]
If the value is set to a non-empty string, it will be displayed in the WARN result as the OverrideReason:
WARN[0000] ... AuditResultName=DockerSocketMounted OverrideReason=AppNeedsAccessToDocker
As per Kubernetes spec, value must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between.
Multiple override labels (for multiple auditors) can be added to the same resource.
See the specific auditor docs for the auditor you wish to override for examples.
To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
CI/CD usage
kubeaudit will return exit code 2 whenever any errors are being found, so it can stop your pipeline.
If you do not want this to happen, run it as kubeaudit all || true
Contributing
If you'd like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our Code of Conduct.
- Create your own fork!
- Get the source:
go get github.com/Shopify/kubeaudit - Go to the source:
cd $GOPATH/src/github.com/Shopify/kubeaudit - Add your forked repo as a fork:
git remote add fork https://github.com/you-are-awesome/kubeaudit - Create your feature branch:
git checkout -b awesome-new-feature - Install Kind
- Run the tests to see everything is working as expected:
make test(to run tests without Kind:USE_KIND=false make test) - Commit your changes:
git commit -am 'Adds awesome feature' - Push to the branch:
git push fork - Sign the Contributor License Agreement
- Submit a PR (All PR must be labeled with 🐛 (Bug fix), ✨ (New feature), 📖 (Documentation update), or ⚠ (Breaking changes) )
- ???
- Profit
Note that if you didn't sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says "I've signed the CLA!"!
Documentation
¶
Overview ¶
Package kubeaudit provides methods to find and fix security issues in Kubernetes resources.
Modes ¶
Kubeaudit supports three different modes. The mode used depends on the audit method used.
1. Manifest mode: Audit a manifest file
2. Local mode: Audit resources in a local kubeconfig file
3. Cluster mode: Audit resources in a running cluster (kubeaudit must be invoked from a container within the cluster)
In manifest mode, kubeaudit can automatically fix security issues.
Follow the instructions below to use kubeaudit:
First initialize the security auditors ¶
The auditors determine which security issues kubeaudit will look for. Each auditor is responsible for a different security issue. For an explanation of what each auditor checks for, see https://github.com/Shopify/kubeaudit#auditors.
To initialize all available auditors:
import "github.com/Shopify/kubeaudit/auditors/all"
auditors, err := all.Auditors(config.KubeauditConfig{})
Or, to initialize specific auditors, import each one:
import (
"github.com/Shopify/kubeaudit/auditors/apparmor"
"github.com/Shopify/kubeaudit/auditors/image"
)
auditors := []kubeaudit.Auditable{
apparmor.New(),
image.New(image.Config{Image: "myimage:mytag"}),
}
Initialize Kubeaudit ¶
Create a new instance of kubeaudit:
kubeAuditor, err := kubeaudit.New(auditors)
Run the audit ¶
To run the audit in manifest mode:
import "os"
manifest, err := os.Open("/path/to/manifest.yaml")
if err != nil {
...
}
report, err := kubeAuditor.AuditManifest(manifest)
Or, to run the audit in local mode:
report, err := kubeAuditor.AuditLocal("/path/to/kubeconfig.yml")
Or, to run the audit in cluster mode (pass it a namespace name as a string to only audit resources in that namespace, or an empty string to audit resources in all namespaces):
report, err := auditor.AuditCluster("")
Get the results ¶
To print the results in a human readable way:
report.PrintResults(os.Stdout, kubeaudit.Info, nil)
Or, to get the result objects:
results := report.Results()
Autofix ¶
Note that autofixing is only supported in manifest mode.
To print the plan (what will be fixed):
report.PrintPlan(os.Stdout)
To automatically fix the security issues and print the fixed manifest:
err = report.Fix(os.Stdout)
Override Errors ¶
Overrides can be used to ignore specific auditors for specific containers or pods. See the documentation for the specific auditor you wish to override at https://github.com/Shopify/kubeaudit#auditors.
Custom Auditors ¶
Kubeaudit supports custom auditors. See the Custom Auditor example.
Example ¶
Example shows how to audit and fix a Kubernetes manifest file
package main
import (
"fmt"
"os"
"strings"
"github.com/Shopify/kubeaudit"
"github.com/Shopify/kubeaudit/auditors/all"
"github.com/Shopify/kubeaudit/config"
log "github.com/sirupsen/logrus"
)
func main() {
// A sample Kubernetes manifest file
manifest := `
apiVersion: apps/v1
kind: Deployment
metadata:
name: myAuditor
spec:
template:
spec:
containers:
- name: myContainer
`
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in manifest mode
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults(os.Stdout, kubeaudit.Error, nil)
// Print the plan to screen. These are the steps that will be taken by calling "report.Fix()".
fmt.Println("\nPlan:")
report.PrintPlan(os.Stdout)
// Print the fixed manifest to screen. Note that this leaves the original manifest unmodified.
fmt.Println("\nFixed manifest:")
err = report.Fix(os.Stdout)
if err != nil {
log.Fatal(err)
}
}
Example (AuditCluster) ¶
ExampleAuditCluster shows how to run kubeaudit in cluster mode (only works if kubeaudit is being run from a container insdie of a cluster)
package main
import (
"os"
"github.com/Shopify/kubeaudit"
"github.com/Shopify/kubeaudit/auditors/all"
"github.com/Shopify/kubeaudit/config"
"github.com/Shopify/kubeaudit/internal/k8s"
log "github.com/sirupsen/logrus"
)
func main() {
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in cluster mode. Note this will fail if kubeaudit is not running within a cluster.
report, err := auditor.AuditCluster(k8s.ClientOptions{})
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults(os.Stdout, kubeaudit.Info, nil)
}
Example (AuditLocal) ¶
ExampleAuditLocal shows how to run kubeaudit in local mode
package main
import (
"os"
"github.com/Shopify/kubeaudit"
"github.com/Shopify/kubeaudit/auditors/all"
"github.com/Shopify/kubeaudit/config"
"github.com/Shopify/kubeaudit/internal/k8s"
log "github.com/sirupsen/logrus"
)
func main() {
// Initialize all the security auditors using default configuration
allAuditors, err := all.Auditors(config.KubeauditConfig{})
if err != nil {
log.WithError(err).Fatal("Error initializing all auditors")
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(allAuditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in local mode
report, err := auditor.AuditLocal("", k8s.ClientOptions{})
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults(os.Stdout, kubeaudit.Info, nil)
}
Example (AuditorSubset) ¶
ExampleAuditorSubset shows how to run kubeaudit with a subset of auditors
// Initialize the auditors you want to use
auditor, err := kubeaudit.New([]kubeaudit.Auditable{
apparmor.New(),
image.New(image.Config{Image: "myimage:mytag"}),
})
if err != nil {
log.Fatal(err)
}
// Run the audit in the mode of your choosing. Here we use manifest mode.
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults(os.Stdout, kubeaudit.Info, &log.JSONFormatter{})
Example (Config) ¶
ExampleConfig shows how to use a kubeaudit with a config file. A kubeaudit config can be used to specify which security auditors to run, and to specify configuration for those auditors.
configFile := "config/config.yaml"
// Open the configuration file
reader, err := os.Open(configFile)
if err != nil {
log.WithError(err).Fatal("Unable to open config file ", configFile)
}
// Load the config
conf, err := config.New(reader)
if err != nil {
log.WithError(err).Fatal("Error parsing config file ", configFile)
}
// Initialize security auditors using the configuration
auditors, err := all.Auditors(conf)
if err != nil {
log.Fatal(err)
}
// Initialize kubeaudit
auditor, err := kubeaudit.New(auditors)
if err != nil {
log.Fatal(err)
}
// Run the audit in the mode of your choosing. Here we use manifest mode.
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the audit results to screen
report.PrintResults(os.Stdout, kubeaudit.Error, nil)
Example (CustomAuditor) ¶
ExampleCustomAuditor shows how to use a custom auditor
package main
import (
"fmt"
"os"
"strings"
"github.com/Shopify/kubeaudit"
"github.com/Shopify/kubeaudit/k8stypes"
log "github.com/sirupsen/logrus"
)
func NewCustomAuditor() kubeaudit.Auditable {
return &myAuditor{}
}
// Your auditor must implement the Auditable interface, which requires only one method: Audit().
type myAuditor struct{}
// The Audit function takes in a resource to audit and returns audit results for that resource.
//
// Params
//
// resource: Read-only. The resource to audit.
// resources: Read-only. A reference to all resources. Can be used for context.
//
// Return
//
// auditResults: The results for the audit. Each result can optionally include a PendingFix object to
// define autofix behaviour (see below).
func (a *myAuditor) Audit(resource k8stypes.Resource, _ []k8stypes.Resource) ([]*kubeaudit.AuditResult, error) {
return []*kubeaudit.AuditResult{
{
Name: "MyAudit",
Severity: kubeaudit.Error,
Message: "My custom error",
PendingFix: &myAuditorFix{
newVal: "bye",
},
},
}, nil
}
// To provide autofix behaviour for an audit result, implement the PendingFix interface. The PendingFix interface
// has two methods: Plan() and Apply().
type myAuditorFix struct {
newVal string
}
// The Plan method explains what fix will be applied by Apply().
//
// Return
//
// plan: A human-friendly explanation of what Apply() will do
func (f *myAuditorFix) Plan() string {
return fmt.Sprintf("Set label 'hi' to '%s'", f.newVal)
}
// The Apply method applies a fix to a resource.
//
// Params
//
// resource: A reference to the resource that should be fixed.
//
// Return
//
// newResources: New resources created as part of the fix. Generally, it should not be necessary to create
// new resources, only modify the passed in resource.
func (f *myAuditorFix) Apply(resource k8stypes.Resource) []k8stypes.Resource {
setLabel(resource, "hi", f.newVal)
return nil
}
// This is just a helper function
func setLabel(resource k8stypes.Resource, key, value string) {
switch kubeType := resource.(type) {
case *k8stypes.PodV1:
kubeType.Labels[key] = value
case *k8stypes.DeploymentV1:
kubeType.Labels[key] = value
}
}
// A sample Kubernetes manifest file
var manifest = `
apiVersion: apps/v1
kind: Deployment
metadata:
name: myAuditor
spec:
template:
spec:
containers:
- name: myContainer
`
// ExampleCustomAuditor shows how to use a custom auditor
func main() {
// Initialize kubeaudit with your custom auditor
auditor, err := kubeaudit.New([]kubeaudit.Auditable{NewCustomAuditor()})
if err != nil {
log.Fatal(err)
}
// Run the audit in the mode of your choosing. Here we use manifest mode.
report, err := auditor.AuditManifest(strings.NewReader(manifest))
if err != nil {
log.Fatal(err)
}
// Print the results to screen
report.PrintResults(os.Stdout, kubeaudit.Info, nil)
}
Index ¶
- Constants
- type AuditResult
- type Auditable
- type KubeResource
- type Kubeaudit
- type Metadata
- type Option
- type PendingFix
- type Report
- func (r *Report) Fix(writer io.Writer) error
- func (r *Report) HasErrors() (errorsFound bool)
- func (r *Report) PrintPlan(writer io.Writer)
- func (r *Report) PrintResults(writer io.Writer, minSeverity int, formatter log.Formatter)
- func (r *Report) RawResults() []Result
- func (r *Report) Results() []Result
- type Result
Examples ¶
Constants ¶
const ( // Info is used for informational audit results where no action is required Info = iota // Warn is used for audit results where there may be security concerns. If an auditor is disabled for a resource // using an override label, the audit results will be warnings instead of errors. Kubeaudit will NOT attempt to // fix these Warn // Error is used for audit results where action is required. Kubeaudit will attempt to fix these Error )
AuditResult severity levels. They also correspond to log levels
const ErrorUnsupportedResource = "Unsupported resource"
ErrorUnsupportedResource occurs when Kubeaudit doesn't know how to audit the resource
const RedundantAuditorOverride = "RedundantAuditorOverride"
RedundantAuditorOverride is the audit result name given when an override label is used to disable an auditor, but that auditor found no security issues so the label is redundant
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditResult ¶
type AuditResult struct {
Name string // Name uniquely identifies a type of audit result
Severity int // Severity is one of Error, Warn, or Info
Message string // Message is a human-readable description of the audit result
PendingFix PendingFix // PendingFix is the fix that will be applied to automatically fix the security issue
Metadata Metadata // Metadata includes additional context for an audit result
}
AuditResult represents a potential security issue. There may be multiple AuditResults per resource and audit
func (*AuditResult) Fix ¶
func (result *AuditResult) Fix(resource k8stypes.Resource) (newResources []k8stypes.Resource)
func (*AuditResult) FixPlan ¶
func (result *AuditResult) FixPlan() (ok bool, plan string)
type Auditable ¶
type Auditable interface {
Audit(resource k8stypes.Resource, resources []k8stypes.Resource) ([]*AuditResult, error)
}
Auditable is an interface which is implemented by auditors
type KubeResource ¶
type KubeResource interface {
// Object is a pointer to a Kubernetes resource. The resource may be modified by multiple auditors
Object() k8stypes.Resource
// Bytes is the original byte representation of the resource
Bytes() []byte
}
KubeResource is a wrapper around a Kubernetes object
type Kubeaudit ¶
type Kubeaudit struct {
// contains filtered or unexported fields
}
Kubeaudit provides functions to audit and fix Kubernetes manifests
func (*Kubeaudit) AuditCluster ¶
func (a *Kubeaudit) AuditCluster(options k8s.ClientOptions) (*Report, error)
AuditCluster audits the Kubernetes resources found in the cluster in which Kubeaudit is running
func (*Kubeaudit) AuditLocal ¶
AuditLocal audits the Kubernetes resources found in the provided Kubernetes config file
type Option ¶
Option is used to specify the behaviour of Kubeaudit Auditor
func WithLogger ¶
WithLogger specifies the log formatter to use
type PendingFix ¶
type PendingFix interface {
// Plan returns a human-readable description of what Apply() will do
Plan() string
// Apply applies the proposed fix to the resource and returns any new resources that were created. Note that
// Apply is expected to modify the passed in resource
Apply(k8stypes.Resource) []k8stypes.Resource
}
PendingFix includes the logic to automatically fix the issues caught by auditing
type Report ¶
type Report struct {
// contains filtered or unexported fields
}
Report contains the results after auditing
func (*Report) Fix ¶
Fix tries to automatically patch any security concerns and writes the resulting manifest to the provided writer. Only applies when audit was performed on a manifest (not local or cluster)
func (*Report) HasErrors ¶ added in v0.10.0
HasErrors returns true if any findings have the level of Error
func (*Report) PrintPlan ¶
PrintPlan writes the actions that will be performed by the Fix() function in a human-readable way to the provided writer. Only applies when audit was performed on a manifest (not local or cluster)
func (*Report) PrintResults ¶
PrintResults writes the audit results with a severity greater than or matching minSeverity in a human-readable way to the provided writer
func (*Report) RawResults ¶
RawResults returns all of the results for each Kubernetes resource, including ones that had no audit results. Generally, you will want to use Results() instead.
type Result ¶
type Result interface {
GetResource() KubeResource
GetAuditResults() []*AuditResult
}
Result contains the audit results for a single Kubernetes resource
Source Files
Directories