This is the one article you need to read. If you read no other article we send you, read this one. In this article, we will quickly intro you to 3 free, open-source tools you can use to secure your Kubernetes Cluster and the Apps Running on it.
I promised 3 minutes, so here we go!
1. Trivy: Scan Your Container Images
Trivy can scan your images and tell you if they have operating system packages with known vulnerabilities (called CVEs), application libraries with known vulnerabilities, or concerning configuration issues such as root access or passwords/certs stored on disk.
2. Kube Bench: Scan Your Cluster
The Center for Internet Security has defined a set of secure best practices around securing and configuring Kubernetes Infrastructure, such as enabling role based access control or disabling unencrypted access to the APIs. Kube Bench can connect to your cluster and report on any non-compliant issues in the cluster. It has built-in configurations for most Kubernetes versions and even configurations for managed environments, such as Elastic Kubernetes Service or Azure Kubernetes Service.
3. Gatekeeper / Open Policy Agent: Make Sure Your Team Does Things Your Way
Open Policy Agent is a standard for defining how you want things deployed to your Kubernetes environment to be deployed, such as limiting privileges or tagging relevant details for your operations team. Gatekeeper allows you to define these policies (it calles them constraint templates and constraints), report on them (through CLI tools), and even enforce them. It can be a bit complex, but there is a library of pre-made constraint templates available to get you started!
3 Tools in 3 minutes! Look out for our next article where we will do a deep-dive into using and patching vulnerabilities found by Trivy!