alcide

Alcide Blog

Cloud-native Security Provider

Introducing sKan: Security Hardening and Best Practices for K8s Configuration Files

Apr 20, 2020 7:08:36 AM / by Alon Berger

Last week we released sKan: a new CI scanner for DevOps and developers that scans K8s deployment files for security drifts.

The Need We Saw

Adopting Kubernetes allows an easy and consistent implementation of environments and their deployments by supporting configurations via YAML files, Helm charts, and CLI.

With this wide range of tools, routine source-code scans for security issues are most likely to end up with overlooked critical errors and potential production vulnerabilities.


The Alcide sKan, empowered by Alcide Kubernetes Advisor brings to light security risks and misconfigurations at a very early stage, ensuring dev work to follow security and operations best practices.

Each execution of the sKan tool covers and detects a broad range of potential security risks, like K8s secrets, CVEs, RBAC misconfiguration, and many more.

 

Each scan also provides actionable insights for each detected risk, significantly improving time-to-response for any incidents throughout the continuous delivery pipeline.

In the example below, the scan checks for any misplaced secrets, API keys, and passwords on specific ConfigMaps, namespaces, and clusters:

 

 

According to VMWare’s recent survey on the state of Kubernetes in 2020, it is reported that there is an increase in Kubernetes adoption in many production applications. With this ongoing trend, there is also a rise in security incidents, deriving mostly from misconfigurations of some sort. Having a tool like sKan provides you with early detection of such issues, allowing security measures to be enforced by developers throughout the development stages and across all of your clusters.

 

Why Now?

We kept hearing from our customers and prospects that they would like to bring K8s security insights from the Alcide Advisor tool to the hands of the developers as early as possible.

The developers are the ones that build the applications running on Kubernetes, so shifting further left in the most automated and seamless manner is our main goal.

This is why we released the Alcide sKan, to serve as a checkpoint tool for developers that is available in their comfort zone without interrupting their development workflow.

Below is an example of a scan, running on a deployment.yaml file.
The sKan presents a breakdown of issues, distributed by severity. Every scan result can be viewed on any browser, as an HTML file.

 

 

sKan can be perceived in developer terms as a Kubernetes YAML/JSON resource linter.
Anything you can do with a code linter in your pipeline would be something developers can implement with sKan.

 

sKan has a very robust and flexible input option that effectively makes a straightforward integration:

  • Read an entire directory of Kubernetes resources
  • Render a Helm chart and pipe them via standard input into sKan 
  • Use customised resources and pipe them via standard input into sKan

On the output end, developers can have sKan generate a report as Junit or extremely human-friendly HTML and store it in the pipeline artifacts.

 

How are Security Considerations Different in a Kubernetes Environment?

Code scanners identify, report and potentially fix issues found in programming languages.Kubernetes application configurations are effectively YAML/JSON files that declaratively specify how built code will run in Kubernetes.

sKan starts where YAML/JSON syntax validation ends - it analyzes the Kubernetes application configurations and will identify violations of security best practices.

 

sKan covers several modules like Kubernetes Pod Security Checks, RBAC Privileges Checks, Misplaced Secrets Checks and many more, each one hosts numerous checks.

With sKan being powered by Alcide Advisor as well as Open-Policy-Agent, new modules and checks will be shipped on a regular basis from both in-house and the community.

 

sKan Aims to Bring Dev and Ops Closer Together

sKan integrates with the very same tools and platforms that code scanners integrate which means that by design sKan becomes a plug-and-play tool to all the existing investments made into the tools that cover assurance, auditability and continuous compliance for the various stakeholders that consume those reports, such as architects and leadership.

Alcide sKan can be leveraged as a local tool for developers tasked to build Kubernetes based applications, and enabling them to build and ship secure components for these applications.

Ops would then need to run and operate those components. 

sKan helps to shape and form alignment between developers and ops by aligning the security quality of Kubernetes based application deliverables with a set of high bar security standards and best practices.

 

Additional usage and CLI examples:

 
 

 

The sKan tool and is now available on Alcide’s GitHub repository.

 

Topics: Kubernetes security, Advisor, sKan

Subscribe to Email Updates