Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

The main of this page is to compare the existing k8S security tests versus the Kubescape tool developed according to NSA recommendations.


Integration Security tests are deployed (some tests are developped internally) by integration Teams.


Security Tests

Security Tests

Tests

Description

Code

Comments

root_pods

check that pods are nor using root user or started as root

bash script

kubectl

unlimitted_pods

check that limits are set for pods

bash script

kubectl

cis_kubernetes

perform the k8s cis test suite (upstream src aquasecurity)

bash script

kube-bench

nonssl_endpoints

check that all public HTTP endpoints exposed in ONAP cluster use SSL tunnels

Go script

kubetl, nmap

http_public_endpoints

check that there is no public http endpoints exposed in ONAP cluster

bash script

kubectl,nmap

jdpw_ports

check that there are no internal java ports

bash script

kubectl, procfs

kube_hunter

security suite to search k8s vulnerabilities (upstream src aquasecurity)

kube-Hunter

kube-Hunter

versions

check that Java and Python are available only in versions recommended by SECCOM. This test is long and run only in Weekly CI chains

python module

cerberus, kubernetes python lib,

tern

Check the component licenses within the ONAP dockers

bash script

kubectl



 


The outcome includes the possibility to accept somes failures and to increase the outcome (main 100%).




Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK® .
Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.

https://github.com/armosec/kubescape



  • No labels