apiVersion: v1 kind: Namespace metadata: name: kube-scan --- apiVersion: v1 kind: ConfigMap metadata: name: kube-scan namespace: kube-scan labels: app: kube-scan data: risk-config.yaml: | expConst: 9 impactConst: 4 attackVector: remote: 0.85 local: 0.55 exploitability: high: 0.54 moderate: 0.4 low: 0.1 veryLow: 0.05 scopeFactor: none: 0.25 host: 1 cluster: 1 ciaScore: high: 0.56 low: 0.22 none: 0 riskCategory: min: 0 low: 3 medium: 6 max: 10 individualRiskCategory: min: 0 low: 3 medium: 5 max: 10 basic: - name: "privileged" title: "Workload is privileged" shortDescription: "Processes inside a privileged containers get full access to the host" description: "Processes inside a privileged container will have full access to the host, which means any third-party library or malicious program can compromise the host. As a result, the compromised host could be used to compromise the entire cluster" confidentiality: "High" confidentialityDescription: "Privileged containers may have the option to read and modify any application, such as Docker, Kubernetes, etc" integrity: "Low" integrityDescription: "Processes inside a privileged container get full access to the host. This means a malicious program or third-party library can compromise the host and the entire cluster" availability: "Low" availabilityDescription: "Processes inside a privileged container may have the ability to modify or stop Kubernetes, Docker and other applications" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsPrivileged" - name: "runningAsRoot" title: "Workload may have containers running as root" shortDescription: "Processes in container running as root may be able to escape their container" description: "Workload does not specify a non-root user for its containers to run as and does not specify runAsNonRoot. Processes inside a container running as root may be able to escape that container and perform malicious actions on the host - basically giving them complete control over the host and the ability to compromise the entire cluster" confidentiality: "High" confidentialityDescription: "Root processes that can escape the container have the ability to read secrets from Kubernetes, Docker and other applications" integrity: "Low" integrityDescription: "Processes in a container running as root may be able to escape their container and perform malicious actions on the host" availability: "Low" availabilityDescription: "Root processes that can escape the container have the ability to modify or stop Kubernetes, Docker and other applications" exploitability: "Low" attackVector: "Local" scope: "Host" handler: "IsRunningAsRoot" - name: "AllowPrivilegeEscalation" shortDescription: "Privilege escalation allows programs inside the container to run as root" description: "Privilege escalation allows programs inside the container to run as root, even if the main process is not root, which can give those programs control over that container, host and even cluster" title: "Workload allows privilege escalation" confidentiality: "Low" confidentialityDescription: "Root processes that can escape the containers have the ability to read secrets from Kubernetes, Docker and other applications" integrity: "Low" integrityDescription: "Processes in a container running as root may be able to escape their container and perform malicious actions on the host" availability: "Low" availabilityDescription: "Root processes that can escape the containers have the ability to modify or stop Kubernetes, Docker and other applications" exploitability: "VeryLow" attackVector: "Local" scope: "Host" handler: "IsPrivilegedEscalation" - name: "CapNetRaw" title: "Workload has a container(s) with NET_RAW capability" shortDescription: "NET_RAW capability enables ARP spoofing from the container\nNET_RAW capability enables the container to craft malicious raw packet" description: "The capability NET_RAW allows the container to craft any packet, including malformed or malicious packets" confidentiality: "High" confidentialityDescription: "This capability enables ARP spoofing from the container, which means UDP packets can be sent with a forged source IP, etc. This enables the container to perform Man-in-the-Middle (MitM) attacks on the host network" integrity: "None" integrityDescription: "" availability: "Low" availabilityDescription: "This capability enables the container to craft malicious raw packet, such as Ping of Death" exploitability: "Low" attackVector: "Local" scope: "Cluster" handler: "IsCapNetRaw" - name: "WritableFileSystem" title: "Workload has a container(s) with writable file system" shortDescription: "Writable File System allows the persistence of threats" description: "A writable file system allows files within the container to be changed. This means a malicious process inside the container can use a writable file system to store or manipulate data inside the container" confidentiality: "None" confidentialityDescription: "" integrity: "Low" integrityDescription: "This allows malicious processes to write data to disk, making it easier to drop and execute external malicious code" availability: "None" availabilityDescription: "" exploitability: "Moderate" attackVector: "Local" scope: "None" handler: "IsWritableFileSystem" - name: "UnmaskedProcMount" title: "Workload exposes unsafe parts of /proc" shortDescription: "Full access to /proc can reveal information about the host and other containers\n/proc/sys allows a privileged user to change the kernel parameters are runtime" description: "A container with full access (unmasked) to the host’s /proc command is able to retrieve information about all the activities and users on that host. /proc/sys allows a privileged user to change the runtime kernel parameters and impact how resources are shared amongst containers" confidentiality: "Low" confidentialityDescription: "/proc contains information about all network connections on the host, the file systems and permissions, running processes, etc" integrity: "None" integrityDescription: "" availability: "High" availabilityDescription: "/proc/sys allows a privileged user to change the runtime kernel parameters, which may impact how resources are shared amongst containers" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsUnmaskedProcMount" - name: "AllowedUnsafeSysctls" title: "Workload allows unsafe allocation of CPU resources" shortDescription: "Sysctl allows users to modify the kernel settings at run time: networking, memory, etc. Some sysctl interfaces can affect other containers, the host or bypass the CPU quota attributed to the container" description: "Sysctl is an interface that enables the container’s parameters to be changed, which could allow the container to grab more CPU resources than it’s allowed by its quota. This may starve other containers from CPU cycles, compromising the operations of the container, host and even the entire cluster" confidentiality: "None" confidentialityDescription: "" integrity: "Low" integrityDescription: "Some of the sysctl interfaces allow the container to affect the performance of other containers and/or the host" availability: "High" availabilityDescription: "Some of the sysctl interfaces allow the container to grab more CPU resources than allowed by their quota. This may starve other containers from CPU cycles" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsAllowedUnsafeSysctls" - name: "notConfiguredCpuOrMemoryLimit" title: "Workload has a container which its CPU or Memory limit was not configured" shortDescription: "CPU and Memory quotas prevent container from grabbing too many resources from the node, and allow a better scheduling of resources across the cluster" description: "CPU and Memory quotas prevent container from grabbing too many resources from the node, and allow a better scheduling of resources across the cluster" confidentiality: "None" confidentialityDescription: "" integrity: "None" integrityDescription: "" availability: "High" availabilityDescription: "Workloads with no CPU or memory quota may starve off other workloads on the node, resulting in pod ejections and cascading reschedule of pods on other nodes" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsNotConfiguredCpuOrMemoryLimit" - name: "mountingOSDirectoryRW" title: "Workload is mounting a volume with OS Directory write permissions" shortDescription: "Containers can mount sensitive folders from the hosts, giving them potential dangerous access critical host configurations and binaries" description: "Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries" confidentiality: "High" confidentialityDescription: "Sharing sensitive folders and files such as / (root), /var/run/, etc., can allow the container to communicate with other host applications, such as a database, which could expose sensitive information" integrity: "High" integrityDescription: "Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow the container to reconfigure the Kubernetes clusters, run new container images, etc" availability: "Low" availabilityDescription: "Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow the container to reconfigure the container quotas, run new container images, etc" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsMountingOSDirectoryRW" - name: "mountingOSDirectoryRO" title: "Workload is mounting a volume with OS Directory read-only permissions" shortDescription: "Containers can mount sensitive folders from the hosts, giving them potential dangerous access critical host configurations" description: "Containers can mount sensitive folders from the hosts, giving them potential dangerous knowledge of critical host configurations" confidentiality: "Low" confidentialityDescription: "Sharing sensitive folders and files, such as /etc, /var/run/, etc., can allow the container to read secrets" integrity: "None" integrityDescription: "" availability: "None" availabilityDescription: "" exploitability: "Low" attackVector: "Local" scope: "Host" handler: "IsMountingOSDirectoryRO" - name: "capSysAdmin" title: "Workload has container/s with CAP_SYS_ADMIN capability" shortDescription: "CAP_SYS_ADMIN is the most privileged capability with over 150 privileged system calls allowed" description: "CAP_SYS_ADMIN is the most privileged capability allowed, out of more than 150 privileged system calls available" confidentiality: "High" confidentialityDescription: "CAP_SYS_ADMIN gives processes privileges equivalent to running as root. Processes in a container running as root may be able to escape their container and perform malicious actions on the host" integrity: "None" integrityDescription: "" availability: "None" availabilityDescription: "" exploitability: "Moderate" attackVector: "Local" scope: "Host" handler: "IsCapSysAdmin" - name: "ExposedByLoadBalancer" title: "Workload is exposed through a load balancer" shortDescription: "The service is accessible from other networks and/or from the Internet" description: "A load balancer is exposing the workload, making it accessible from other networks and the Internet" confidentiality: "High" confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" integrity: "Low" integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" availability: "High" availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers" exploitability: "Moderate" attackVector: "Remote" scope: "None" handler: "IsExposedByLoadBalancer" - name: "ExposedByNodePort" title: "Workload is exposed through a node port" shortDescription: "The service is accessible from other networks and/or from the Internet" description: "A node port is exposing the workload, making it accessible from other networks and the Internet" confidentiality: "High" confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" integrity: "Low" integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" availability: "High" availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers" exploitability: "Moderate" attackVector: "Remote" scope: "None" handler: "IsExposedByNodePort" - name: "ExposedByIngress" title: "Workload is exposed through an ingress policy" shortDescription: "The service is accessible from other networks and/or from the Internet" description: "An ingress policy is exposing the workload, making it accessible from other networks and the Internet" confidentiality: "High" confidentialityDescription: "Accidental exposure of sensitive services may lead to the exfiltration of confidential data through remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" integrity: "Low" integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" availability: "Low" availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers" exploitability: "Moderate" attackVector: "Remote" scope: "None" handler: "IsExposedByIngress" - name: "HostPort" title: "Workload is exposed through a shared host port" shortDescription: "The service is accessible from other networks and/or from the Internet" description: "This container setting binds the container listening port to the IP address of the host. This exposes the pod to adjacent networks and/or to the Internet.\nA host port is exposing the workload, making it accessible from other networks and the Internet" confidentiality: "High" confidentialityDescription: "This setting binds the workload listening IP address to the host IP, making the service accessible from other networks and/or from the Internet" integrity: "Low" integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" availability: "High" availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers" exploitability: "Moderate" attackVector: "Remote" scope: "None" handler: "IsHostPort" - name: "ShareHostNetwork" title: "Workload is exposed through a shared host network" shortDescription: "The service is accessible from other networks and/or from the Internet\nShare Host Network allows containers to sniff traffic from host and other containers" description: "This Security Context setting allows the workload to share the same network namespace as the host" confidentiality: "High" confidentialityDescription: "This allows the network to listen to the loopback interface and sniff the traffic to and from other pods. This setting also allows workloads to bind their listening IP address to the host IP, making the service accessible from other networks and/or from the Internet" integrity: "Low" integrityDescription: "Services open to the Internet may be used to access unprotected services (move laterally) by leveraging remote code vulnerabilities, vulnerable third-party libraries or vulnerable OS services" availability: "High" availabilityDescription: "Accidental exposure to the Internet can make the workload susceptible to DoS attacks from random attackers" exploitability: "Low" attackVector: "Remote" scope: "Host" handler: "IsShareHostNetwork" - name: "ShareHostPID" title: "Workload shares the host PID" shortDescription: "Share Host Pid allow containers to manipulate other container processes" description: "Shared host PIDs enable the sharing of processes with the host and other containers" confidentiality: "Low" confidentialityDescription: "Each container has access to password, secrets, certificates, etc. read by other containers" integrity: "Low" integrityDescription: "Each container can manipulate other container processes, inject malicious code, modify /proc, etc. A malicious container can move laterally by infecting other containers on the same host" availability: "Low" availabilityDescription: "Each container can crash another container’s processes" exploitability: "Low" attackVector: "Local" scope: "Host" handler: "IsShareHostPID" - name: "ShareHostIPC" title: "Workload shares the host IPC" shortDescription: "Shared Host IPC can leak confidential data sent from trusted applications" description: "IPC allows containers to communicate directly through shared memory - a shared IPC means that anyone in that namespace can access that memory" confidentiality: "High" confidentialityDescription: "Communication between trusted applications and untrusted applications (malicious third-party libraries, rogue containers) can leak confidential data" integrity: "Low" integrityDescription: "Untrusted applications can change the behavior of trusted applications through shared memory namespaces by tampering with the memory" availability: "Low" availabilityDescription: "An untrusted application can use improper Inter-Process Communications to crash the destination process" exploitability: "Low" attackVector: "Local" scope: "Host" handler: "IsShareHostIPC" remediation: - name: "seccomp" title: "Workload containers have a seccomp policy" shortDescription: "A seccomp policy specify which system class can be called by the application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited" description: "seccomp stands for Secure Computing mode - a seccomp policy can specify which system class can be called by the application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited" confidentiality: "High" confidentialityDescription: "A seccomp policy can prevent malicious programs from reading files not used by the container" integrity: "High" integrityDescription: "A seccomp policy can prevent malicious programs to use kernel exploits to break out of the container" availability: "High" availabilityDescription: "A seccomp policy can be used to restrict the system calls and prevent processes from grabbing additional CPU or memory resources" exploitability: "None" attackVector: "Local" scope: "Host" handler: "IsSecComp" - name: "selinux" title: "Workload containers have SELlinux or AppArmor enabled" shortDescription: "SELinux (RedHat-based distributions) and AppArmor(Debian-based distributions) provides access control policies. They can be used to restrict how processes can communicate" description: "SELinux (RedHat-based distributions) and AppArmor (Debian-based distributions) provides access control policies that can be used to restrict how processes can communicate to improve the overall security posture of the container and host" confidentiality: "High" confidentialityDescription: "The SELinux or AppArmor policy can be used to restrict what processes can read in each folder" integrity: "High" integrityDescription: "The SELinux or AppArmor policy can be used to restrict what processes can write to disk and in what folders" availability: "High" availabilityDescription: "The SELinux or AppArmor policy can be used to restrict the system calls and prevent processes from grabbing additional CPU or memory resources" exploitability: "None" attackVector: "Local" scope: "Host" handler: "IsSelinux" - name: "IngressPolicy" title: "Workload has ingress policy configured" shortDescription: "The Kubernetes network policy allows specific workloads or specific external IP addresses (such as an external Load Balancer) to access the application running" description: "An ingress network policy can prevent a workload from being leveraged to perform lateral movement and data ex-filtration" confidentiality: "Low" confidentialityDescription: "An ingress policy cuts down on accidental exposure to the Internet, which can lead to confidential data being leaked. (Accidental exposure can be caused when a Load Balancer, Node Port or Ingress Controller is added or misconfigured" integrity: "Low" integrityDescription: "An ingress policy cuts down on accidental exposure to the Internet, which can make vulnerable code or third-party processes available to be exploited by external attackers" availability: "High" availabilityDescription: "An ingress policy helps limit accidental exposure to the Internet, which can make workloads susceptible to DoS attacks from random attackers" exploitability: "None" attackVector: "Remote" scope: "None" handler: "IsIngressPolicy" - name: "EgressPolicy" title: "Workload has egress policy configured" shortDescription: "The Kubernetes network policy allows workloads to communicate with specific workloads or specific external IP addresses" description: "The Kubernetes egress network policy only allows workloads to communicate with specific workloads or specific external IP addresses, which reduces the attack surface" confidentiality: "High" confidentialityDescription: "A Kubernetes egress policy makes it harder for an attacker to exploit a vulnerable application or OS, or compromised third-party library, etc. to move laterally inside the cluster or exfiltrate confidential data" integrity: "Low" integrityDescription: "An egress policy makes it harder to leverage a compromised workload to attack other services in the cluster" availability: "Low" availabilityDescription: "An egress policy makes it more difficult for a workload to be leveraged to mount a DoS attack on other internal services in the cluster" exploitability: "None" attackVector: "Remote" scope: "Cluster" handler: "IsEgressPolicy" - name: "notListeningToContainerPorts" title: "A listening port isn’t configured" shortDescription: "A workload with no listening service is not susceptible to remote networking attacks" description: "A workload with no listening service is not susceptible to remote networking attacks" confidentiality: "High" confidentialityDescription: "When there is no listening port configured, workloads are not accessible remotely and are less likely to be leveraged for lateral movement and data exfiltration" integrity: "High" integrityDescription: "When there is no listening port, workloads with local vulnerabilities are less likely to be exploited" availability: "High" availabilityDescription: "When there is no listening port, workloads not accessible remotely are less likely to be overloaded by external users" exploitability: "None" attackVector: "Remote" scope: "None" handler: "IsNotListeningToContainerPorts" - name: "instrumentedByOctarine" title: "Workload is instrumented by Octarine" shortDescription: "Service meshes such as Istio and Octarine provide encryption of network traffic as well as strong identity, preventing network sniffing or Man-in-the-Middle (MiTM) attacks" description: "The Istio and Octarine service mesh encrypts all internal network activities with a mutual TLS connection and uses certificates to provide strong identity to all workloads, which greatly reduces the potential attack surface" confidentiality: "High" confidentialityDescription: "Service meshes, such as Istio and Octarine, provide encryption of network traffic, as well as strong identity, which prevents network sniffing and Man-in-the-Middle (MiTM) attacks" integrity: "Low" integrityDescription: "The strong identity provided by an Octarine and/or Istio service mesh prevents rogue containers from impersonating trusted workloads" availability: "Low" availabilityDescription: "Service meshes, such as Istio and Octarine, can detect and stop abnormal increases in network activities and network errors" exploitability: "None" attackVector: "Remote" scope: "None" handler: "IsInstrumentedByOctarine" - name: "instrumentedByIstio" title: "Workload is instrumented by Istio" shortDescription: "The Istio and Octarine service mesh encrypts all internal network activities with a mutual TLS connection and uses certificates to provide strong identity to all workloads, which greatly reduces the potential attack surface" description: "Service meshes such as Istio and Octarine provide encryption of network traffic as well as strong identity, preventing network sniffing or Man-in-the-Middle (MiTM) attacks" confidentiality: "High" confidentialityDescription: "Service meshes, such as Istio and Octarine, provide encryption of network traffic, as well as strong identity, which prevents network sniffing and Man-in-the-Middle (MiTM) attacks" integrity: "Low" integrityDescription: "The strong identity provided by an Octarine and/or Istio service mesh prevents rogue containers from impersonating trusted workloads" availability: "Low" availabilityDescription: "Service meshes, such as Istio and Octarine, can detect and stop abnormal increases in network activities and network errors" exploitability: "None" attackVector: "Remote" scope: "None" handler: "IsInstrumentedByIstio" --- apiVersion: v1 kind: ServiceAccount metadata: name: kube-scan namespace: kube-scan labels: app: kube-scan --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kube-scan labels: app: kube-scan rules: - apiGroups: - '' - 'rbac.authorization.k8s.io' - 'extensions' - 'apps' - 'batch' - 'networking.k8s.io' resources: - '*' verbs: - 'get' - 'list' - 'watch' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kube-scan labels: app: kube-scan roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-scan subjects: - kind: ServiceAccount name: kube-scan namespace: kube-scan --- apiVersion: apps/v1 kind: Deployment metadata: name: kube-scan namespace: kube-scan labels: app: kube-scan spec: selector: matchLabels: app: kube-scan template: metadata: labels: app: kube-scan spec: containers: - name: kube-scan-ui image: octarinesec/kubescan-scanner-ui:20.5 imagePullPolicy: Always env: - name: API_SERVER_PORT value: "80" - name: CONTACT_LINK value: "mailto:info@octarinesec.com?subject=Octarine%20Contact%20Request" - name: WEBSITE_LINK value: "https://www.octarinesec.com" - name: kube-scan image: octarinesec/kubescan-scanner:20.5 env: - name: KUBESCAN_PORT value: "80" - name: KUBESCAN_RISK_CONFIG_FILE_PATH value: "/etc/kubescan/risk-config.yaml" - name: KUBESCAN_REFRESH_STATE_INTERVAL_MINUTES value: "1440" imagePullPolicy: Always volumeMounts: - name: config mountPath: /etc/kubescan volumes: - name: config configMap: name: kube-scan defaultMode: 420 serviceAccountName: kube-scan --- apiVersion: v1 kind: Service metadata: name: kube-scan-ui namespace: kube-scan labels: app: kube-scan spec: ports: - name: kube-scan-ui port: 80 protocol: TCP targetPort: 8080 selector: app: kube-scan type: ClusterIP