kubearmor / k8tls Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update actions/checkout action to v4
• chore(deps): update docker/build-push-action action to v6
• chore(deps): update docker/login-action action to v3
• chore(deps): update docker/setup-buildx-action action to v3
• chore(deps): update docker/setup-qemu-action action to v3
• chore(deps): update ubuntu docker tag to v24
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

With KubeTLS it should be possible to enlist all the container ports on the current system and check the TLS posture.

Changes to generate JSON Report in single line so that Fluent-Bit can send this report to external entities in one go. Or we end up sending the data line by line.

• CI action to update the docker image
• Keep the docker image in the kubearmor docker hub repo.
• add basic system tests and automate it as part of CI
• ensure license header checks

It will be important to explain the differentiation.

• JA3 fingerprinting
• tls-scan
• Mitigating-Obsolete-TLS
• Gauntletwizard KubeTLS
• tls-inspector

TLDR; This project differentiates itself by automating k8s service port scanning for security settings, TLS config, and certificate config.

• ignore list
  • namespaces/service-name regex
  • specific addresses
• output file path (how to do this?)

• Insecure ports: recommend network policies that do not allow external connectivity
• Conn Failure: Provide patched service definition to remove corresponding port.

• The best way to keep the KubeTLS report is in a k8s CRD.
• The job itself should be converted to CronJob.
• The Resource should contain:
  • Report time
  • y
  • z

Tasks:

• Create k8s CRD
• convert current k8s Job to k8s CronJob
• [ ]

Currently k8tls can only scan/verify Kubernetes Service so extend it to support following:

• API Gateways
• Load Balancers
• Ingress & Virtual Service #25
• fips-140-3 compliance.

• Server Identity can be derived from the certificate's SAN ((Subject Alternative Name) or other parameters.

Currently k8tls reports mostly for east-west traffic based on k8s services.

However, the external traffic is delivered through virtualservices, gateways, and ingress controllers. It should be possible to scan these endpoints using k8tls and will be more valuable.

❯ k get virtualservices.networking.istio.io -A
NAMESPACE                NAME                               GATEWAYS                                 HOSTS                             AGE
accuknox-dev-divy        divy-virtual-service               ["istio-system/divy-gateway"]            ["cspm.dev.accuknox.com"]         132d
accuknox-dev-divy        divy-wildcard-virtual-service      ["istio-system/divy-wildcard-gateway"]   ["*.cspm.dev.accuknox.com"]       57d
accuknox-dev-saltstack   saltmaster-virtual-service         ["saltmaster-gateway"]                   ["*"]                             110d
accuknox-dev-soarcast    redis-virtual-service              ["redis-gateway"]                        ["redis.dev.accuknox.com"]        132d
istio-system             api-dev-accuknox-com-virtual-svc   ["dev-gateway"]                          ["cwpp.dev.accuknox.com"]         132d
wildcard-test            nginx-virtual-service              ["istio-system/nginx-gateway"]           ["test.wild-test.accuknox.com"]   63d

❯ k get gw -A
NAMESPACE                NAME                    AGE
accuknox-dev-saltstack   saltmaster-gateway      110d
accuknox-dev-soarcast    redis-gateway           132d
istio-system             dev-gateway             132d
istio-system             divy-gateway            62d
istio-system             divy-wildcard-gateway   57d
wildcard-test            nginx-gateway           63d


❯ k get gw -n istio-system             divy-wildcard-gateway -o yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"divy-wildcard-gateway","namespace":"istio-system"},"spec":{"selector":{"app":"istio-ingressgateway"},"servers":[{"hosts":["*.cspm.dev.accuknox.com"],"port":{"name":"https","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"dev-cspm-wildcard","mode":"SIMPLE"}}]}}
  creationTimestamp: "2023-11-21T10:55:58Z"
  generation: 1
  name: divy-wildcard-gateway
  namespace: istio-system
  resourceVersion: "223430089"
  uid: 7ca6f02a-b95a-4822-91fa-adaa0beb1a06
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - hosts:
    - '*.cspm.dev.accuknox.com'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: dev-cspm-wildcard
      mode: SIMPLE

• check how SSLLabs shows the grade and try to figure out the grade.
• show grade in the context of every k8s service
• Check how Mozilla Server Side TLS checks are handled

• show summary of the findings
  • Count of services using expired certificates
  • Count of services using insecure ports
  • Count of services using self-signed certificates
  • Count of services whose connections are failing

Sample Report

• add support for ECS
• ECS with both launch types {EC2, Fargate}