Implement Alcide

Empowering DevOps and security teams with continuous security for workloads running on Kubernetes

Introduction

In response to the ever-elusive security in cloud-native (and hybrid) environments, one approach, called Zero Trust, has been gaining momentum. Initially coined by former Forrester analyst John Kindervag in 2010 and popularized by Google’s BeyondCorp, Zero Trust aims to put a stop to the breach madness by assuming that no asset, user or resource can be trusted no matter where they sit (inside or outside of the firewall).

Initially applied to the network, Zero Trust must be extended to all aspects of cloud-native development and production to achieve its intended goal: Stop attacks before they can have detrimental consequences for your application availability, the protection of your data and, ultimately, your business.

In response to the need to implement Zero Trust, Eupraxia Labs deploys Alcide services to all of its Kubernetes clusters for its Managed Services Provider (MSP) implementations. Eupraxia Labs offers both soft multi-tenancy Kubernetes clusters or hard multi-tenancy Kubernetes clusters for all phases of the software development life-cycle. It is the Alcide Advisor that ensures that a cyber attack from application neighors is eliminated as a result of improper deployment of cloud-native applications.

Alcide Advisor is a Kubernetes multi-cluster vulnerability scanner that covers rich Kubernetes and Istio security best practices and compliance checks. The analysis reveals that DevOps teams face significant challenges and gaps following best practices for Kubernetes secrets handling and network policies. Specifically, 89% of deployment scans show that companies are not using Kubernetes’ secrets resources, with secrets wired in the open. Moreover, over 75% of the scanned deployments use workloads, which mount high vulnerability host file systems such as /proc; while none of the surveyed environments show segmentation implementation using Kubernetes’ network policies.

With Alcide Advisor, we cover the following security checks:

Kubernetes infrastructure vulnerability scanning.

Hunting misplaced secrets, or excessive priviliges for secret access.

Workload hardening from Pod Security to network policies.

Istio security configuration and best practices.

Ingress Controllers for security best practices.

Kubernetes API server access privileges.

Kubernetes operators security best practices.

Deployment conformance to labeling, annotating, resource limits

This Zero Trust approach is indeed the right approach to scalable cloud-native security. Through smart automation and continuous integration across the software development life cycle and supply chain, it can not only secure critical assets but also enable enterprises’ innovation velocity.

Installation into A Kubernetes Cluster

We will use Alcide’s installation documentation.

Browser View

Alcide View of XtremeCloud Multi-Cloud View - GKE and AKS - click image to enlarge

Command Line Scan of the Kubernetes Cluster

Running the script, provided by Eupraxia Labs, against Google Kubernetes Engine (GKE):

[centos@vm-controller scripts]$ ./gke-advisor-scan.sh

xtremecloud-cluster-1
/tmp/alcide-advisor-zbZpbYsdDB ~/alcide-pipeline/scripts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11.7M  100 11.7M    0     0  5259k      0  0:00:02  0:00:02 --:--:-- 5261k
Scanning xtremecloud-cluster-1
Fetching cluster endpoint and auth data.
kubeconfig entry generated for xtremecloud-cluster-1.


To take a quick anonymous survey, run:
  $ gcloud alpha survey

[kube-advisor] Connecting to cluster 'gke_xtremecloud_us-central1-a_xtremecloud-cluster-1'
[kube-advisor] Connected to cluster 'gke_xtremecloud_us-central1-a_xtremecloud-cluster-1' running Kubernetes Master API version 'v1.12.8-gke.10'
[kube-advisor] Detected cluster deployed on 'gce'
[kube-advisor] Analyzing cluster with profile 'default-kube-advisor-analysis'
[kube-advisor] Cluster namespaces included '*'
[kube-advisor] Cluster namespaces excluded 'kube-system'
[kube-advisor] Analyzing scan modules from profile 'default-kube-advisor-analysis'
[kube-advisor] Kubernetes CIS Benchmark | Kubelet Checks (Kubernetes CIS Benchmark)
[kube-advisor] Cluster Conformance | Workload Conformance
[kube-advisor] Cluster Conformance | Service Conformance
[kube-advisor] Ops Conformance | Workload Readiness & Liveness
[kube-advisor] Ops Conformance | Workload Capacity Planning
[kube-advisor] Ops Health | Deployment Health
[kube-advisor] Ops Health | Pod Failures
[kube-advisor] Ops Health | DaemonSet Health
[kube-advisor] Ops Health | StatefulSet Health
[kube-advisor] Kubernetes Vulnerabilities Checks | Kubernetes Master API Server Vulnerability
[kube-advisor] Kubernetes Vulnerabilities Checks | Kubernetes Worker Nodes Vulnerabilities Checks
[kube-advisor] Workload Software Supply Chain | Image Registry Whitelist
[kube-advisor] Ingress Controllers & Services | Ingress Security & Hardening Configuration
[kube-advisor] Ingress Controllers & Services | Ingress Controller (nginx)
[kube-advisor] Ingress Controllers & Services | Service Resource Checks
[kube-advisor] Pod Security | Workload Hardening
[kube-advisor] Workload Kubernetes API Server Access Privileges | Privileged Kubernetes API Server Access
[kube-advisor] Kubernetes Dashboard | RBAC Permissions
[kube-advisor] Kubernetes Dashboard | Kubernetes Dashboard Vulnerabilities Checks
[kube-advisor] Secret Hunting | Find Secrets in ConfigMaps
[kube-advisor] Secret Hunting | Find Secrets in Pod Environment Variables
[kube-advisor] Worker Node Security | Worker Nodes Hardening
[kube-advisor] Scan completed within 31.575040905s
[kube-advisor] Generating report (html) and saving as '/tmp/alcide-advisor-zbZpbYsdDB/gke_xtremecloud_us-central1-a_xtremecloud-cluster-1.html'
[kube-advisor] Summary:
[kube-advisor] Critical .... 6
[kube-advisor] High ........ 45
[kube-advisor] Medium ...... 14
[kube-advisor] Low ......... 0
[kube-advisor] Pass ........ 30
~/alcide-pipeline/scripts

You can now drill down into the report and resolve issues.

Alcide Scan Results of Google Cloud Kubernetes Cluster - click image to enlarge

Running the script, provided by Eupraxia Labs, against Azure Kubernetes Service (AKS):


[centos@vm-controller scripts]$ ./aks-advisor-scan.sh
/tmp/alcide-advisor-DjSCKe7xbl ~/alcide-pipeline/scripts
Downloading Alcide Advisor
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11.7M  100 11.7M    0     0  5498k      0  0:00:02  0:00:02 --:--:-- 5501k
Scanning xtremecloud eupraxia-xc
Merged "xtremecloud" as current context in /home/centos/.kube/config
Running: './kube-advisor --eula-sign validate cluster --cluster-context xtremecloud --namespace-include="*" --outfile /tmp/alcide-advisor-DjSCKe7xbl/xtremecloud.html'
[kube-advisor] Connecting to cluster 'xtremecloud'
[kube-advisor] Connected to cluster 'xtremecloud' running Kubernetes Master API version 'v1.11.8'
[kube-advisor] Detected cluster deployed on 'azure'
[kube-advisor] Analyzing cluster with profile 'default-kube-advisor-analysis'
[kube-advisor] Cluster namespaces included '*'
[kube-advisor] Cluster namespaces excluded 'kube-system'
[kube-advisor] Analyzing scan modules from profile 'default-kube-advisor-analysis'
[kube-advisor] Kubernetes CIS Benchmark | Kubelet Checks (Kubernetes CIS Benchmark)
[kube-advisor] Cluster Conformance | Workload Conformance
[kube-advisor] Cluster Conformance | Service Conformance
[kube-advisor] Ops Conformance | Workload Readiness & Liveness
[kube-advisor] Ops Conformance | Workload Capacity Planning
[kube-advisor] Ops Health | Deployment Health
[kube-advisor] Ops Health | Pod Failures
[kube-advisor] Ops Health | DaemonSet Health
[kube-advisor] Ops Health | StatefulSet Health
[kube-advisor] Kubernetes Vulnerabilities Checks | Kubernetes Master API Server Vulnerability
[kube-advisor] Kubernetes Vulnerabilities Checks | Kubernetes Worker Nodes Vulnerabilities Checks
[kube-advisor] Workload Software Supply Chain | Image Registry Whitelist
[kube-advisor] Ingress Controllers & Services | Ingress Security & Hardening Configuration
[kube-advisor] Ingress Controllers & Services | Ingress Controller (nginx)
[kube-advisor] Ingress Controllers & Services | Service Resource Checks
[kube-advisor] Pod Security | Workload Hardening
[kube-advisor] Workload Kubernetes API Server Access Privileges | Privileged Kubernetes API Server Access
[kube-advisor] Kubernetes Dashboard | RBAC Permissions
[kube-advisor] Kubernetes Dashboard | Kubernetes Dashboard Vulnerabilities Checks
[kube-advisor] Secret Hunting | Find Secrets in ConfigMaps
[kube-advisor] Secret Hunting | Find Secrets in Pod Environment Variables
[kube-advisor] Worker Node Security | Worker Nodes Hardening
[kube-advisor] Scan completed within 13.246100687s
[kube-advisor] Generating report (html) and saving as '/tmp/alcide-advisor-DjSCKe7xbl/xtremecloud.html'
[kube-advisor] Summary:
[kube-advisor] Critical .... 15
[kube-advisor] High ........ 61
[kube-advisor] Medium ...... 31
[kube-advisor] Low ......... 0
[kube-advisor] Pass ........ 30
~/alcide-pipeline/scripts

You can drill down in a similar manner on the Microsoft Azure Kubernetes cluster of interest.

Alcide Scan Results of Microsoft Azure Kubernetes Cluster - click image to enlarge