Kubesec is a great tool for risk analysis scanning kubernetes resources and yaml files. There is a plugin that can be leveraged in the cluster but you can also download the command line client and scan the yaml files of your pods, deployments, deamonsets and stateful sets.
I am going to use the cli tool to scan a pod yaml that I have on my system and then work hard to make the test fail.
Download Kubesec at kubesec.io
Untar the file
I have here a yaml file for an immutable pod that I was playing around with. Immutable sounds good, I bet this one will pass the test:
Kubesec will scan through and generate a report with a score with either a pass or a fail and how many points.
This one passed:
Now lets make a bad change to the yaml. we will change readOnlyRootFileSytem from false to true
Ok, well that pod is no longer immutable that is for sure. Lets see what Kubesec has to say about that:
Passed but with a score of 0.
Ok what if we allow privilege escalation:
Yes we failed!! Perhaps this post should have gone in the other direction, from fail to pass but I decided to be different and go against the flow:
Kubesec will tell us what it really did not like and as one would guess privilege escalation is not a nice thing
Kubesec is yet another tool that we have in are arsenal to help secure our containers.
