Hi!

In this article, I would like to share with you a list of security tools to audit the security of your AKS clusters.

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.https://github.com/vchinnipilli/kubestriker

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. https://github.com/aquasecurity/kube-hunter

Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: run as non-root ; use a read-only root filesystem ; don’t run privileged ; and more! https://github.com/Shopify/kubeaudit

Kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. https://github.com/aquasecurity/kube-bench

Kubiscan is a tool for scanning Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model. https://github.com/cyberark/KubiScan

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System. https://github.com/octarinesec/kube-scan

Rback – A simple « RBAC in Kubernetes » visualizer. No matter how complex the setup, rback queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in dot format. https://github.com/mhausenblas/rback

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. https://github.com/cyberark/kubernetes-rbac-audit

Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster. https://github.com/inguardians/peirates

Kubetap is a kubectl plugin that enables an operator to easily deploy intercepting proxies for Kubernetes Services. https://github.com/soluble-ai/kubetap

kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc). https://github.com/sysdiglabs/kube-psp-advisor

Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. https://github.com/kinvolk/inspektor-gadget

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. https://github.com/appvia/krane

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. https://github.com/stackrox/kube-linter

Kubeletctl is a command line tool that implement kubelet’s API. https://github.com/cyberark/kubeletctl

MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. https://github.com/darkbitio/mkit

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies. https://github.com/nccgroup/ConMachi

Ktunnel is a CLI tool that establishes a reverse tunnel between a kubernetes cluster and your local machine. It lets you expose your machine as a service in the cluster or expose it to a specific deployment. You can also use the client and server without the orchestration part. Although ktunnel is identified with kubernetes, it can also be used as a reverse tunnel on any other remote system https://github.com/omrikiei/ktunnel

Dostainer – Kubernetes Resource Exhaustion PoC Container https://github.com/uchi-mata/dostainer

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines. https://github.com/Portshift/Kubei

Kubernetes Cluster dumps -Full cluster export into jsons using both native and specialized exports- https://github.com/alexivkin/kubepwn/blob/master/Tools/kubernetes-cluster-dump.sh

Maxime.