M8-Security Weaknesses in Kubernetes Manifests

Description

Use an existing tool to find security misconfigurations in Kubernetes configuration files.

Courses Where This Module Is Integrated

• Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)

Activities 

Pre-lab Content Dissemination

In our lecture, we learned that tools now exist to manage configurations automatically. One such tool is Kubernetes, https://kubernetes.io/. With Kubernetes, a lot of clusters can be managed automatically. Kubernetes uses configuration files called manifests that are executed using a tool called `kubectl`. These manifests are developed in a language called the "Yet Another Markup Language", i.e., YAML (https://yaml.org/). 

In this workshop, we will use a tool called SLI-KUBE (https://hub.docker.com/repository/docker/akondrahman/sli-kube) to find security misconfigurations. According to the U.S. National Institute of Standards and Technology, NIST (https://www.nist.gov/), a security misconfiguration is a setting within a computer program that violates a configuration policy or that permits unintended behavior that impacts the security posture of a system`. The goal of this workshop is to understand how we can use a tool to identify security misconfigurations in Kubernetes manifests. 

In-class Hands-on Experience

1. Install the docker on your computer. You can find the installation directions here.

2. Run the following instructions one at a time to run the tool: 

docker rm $(docker ps -a -f status=exited -f status=created -q)

The command docker rm $(docker ps -a -f status=exited -f status=created -q) is used to remove Docker containers that are in either an "exited" or "created" state. Here's a breakdown of the command:

• docker ps -a: This part of the command lists all Docker containers, including those not currently running (the -a flag).

• -f status=exited -f status=created: These are filters applied to the list of containers. They filter containers by their status. In this case, it selects containers that are in the "exited" state (containers that have stopped running) and the "created" state (containers that have been created but not started).

• -q: This flag specifies that we only want to display the numeric IDs of the selected containers rather than their full information.

• docker rm $(...): This part of the command uses command substitution ($(...)) to take the list of container IDs produced by the inner command and pass them as arguments to the docker rm command. The docker rm command is used to remove Docker containers.

      docker rmi -f $(docker images -a -q) 

The command docker rmi -f $(docker images -a -q) is used to forcefully remove (force-delete) all Docker images, both active and inactive, from your local Docker environment. Let's break down the command:

• docker rmi: This is the command to remove Docker images.

• -f: It's a flag that stands for "force," and it's used to forcefully remove images without confirmation. Be cautious when using the -f flag, as it can lead to the irreversible deletion of images.

The part in parentheses $(docker images -a -q) is a subcommand that does the following:

• docker images -a: Lists all Docker images, including intermediate images and dangling images (i.e., images with no associated containers).

• -q: This flag, when used with docker images, specifies that only the image IDs (hashes) should be displayed, rather than the full information.

So, when you put it all together, the command docker rmi -f $(docker images -a -q) forcefully removes all Docker images that are currently present on your local system, cleaning up your Docker image repository. This is useful for reclaiming disk space and ensuring that you're not carrying unnecessary or obsolete images. However, be very cautious when using the -f flag, as it doesn't provide any confirmation and can lead to the permanent removal of images.

         docker pull akondrahman/sli-kube 

The command docker pull akondrahman/sli-kube is used to download (pull) a Docker image from the Docker Hub or another container registry. Here's a breakdown of the command:

• docker pull: This is the command to pull Docker images.

• akondrahman/sli-kube: This is the name of the Docker image you want to download. Docker images are often named in the format repository/image-name, and in this case, you're pulling the sli-kube image from the Docker Hub repository owned by the user akondrahman.

        docker images -a

The command docker images -a is used to list all Docker images that are currently available on your local Docker environment, including both active and inactive images. Here's what this command means:

• docker images: This is the command to list Docker images.

• -a: It's a flag that stands for "all." When used with docker images, it specifies that you want to see all images, including intermediate images (layers) and dangling images (images with no associated containers).

        docker run --rm -it akondrahman/sli-kube bash 

The command docker run --rm -it akondrahman/sli-kube bash is used to run a Docker container interactively with a Bash shell as the entry point. Let's break down this command:

• docker run: This is the command to run a Docker container.

• --rm: It's a flag that stands for "remove." When used, it indicates that the container should be automatically removed (deleted) when it exits. This is useful for temporary or disposable containers.

• -it: These are two flags combined:

  • -i: It stands for "interactive." This flag allows you to interact with the container by providing an open standard input (stdin).

  • -t: It stands for "tty" or "terminal." This flag allocates a pseudo-TTY for the container, allowing you to see its output and send input as if you were using a terminal.

• akondrahman/sli-kube: This is the name of the Docker image you want to run as a container.

• bash: It's the command that you want to execute when the container starts. In this case, you're starting a Bash shell within the container.

       cd SLI-KUBE-WORK/KubeSec-master/

       python3 main.py` or `python main.py

Locate the output file generated by the tool. The output file is stored at `/SLI-KUBE-WORK/DEMO-OUTPUT.csv` 

The output file is a CSV file that has multiple columns. The first two columns correspond to the directory and the path of a Kubernetes configuration file. The rest corresponds to the count of instances for a specific category. We will use this count to determine the three most frequent ones. The `Total` column corresponds to the total instances of misconfigurations for a configuration file. 

A video recording of this hands-on experience is available here.

Post Lab Experience

1. Run the tool for all Kubernetes manifests zipped in `workshop3.zip` 

2. First, copy the zip file to the container with `docker cp` 

3. Second, extract the zip file with unzip (https://linuxize.com/post/how-to-unzip-files-in-linux/) 

4. Third, change `main.py` so that the extracted folder gets scanned with `SLI-KUBE`. 

5. Fourth, run `python3 main.py` or `python main.py`  

6. Fifth, cop the generated output file to your `own` computer/machine using `docker cp`  

7. Report the three most frequent security misconfigurations as determined by SLI-KUBE. Your report should include a 2 sentence description. Use `Section-2.3` from `workshop3-paper.pdf`. You can find the paper here: https://akondrahman.github.io/files/papers/tosem-k8s.pdf. 

8. If you get `NO_NETWORK_POLICY,` then you can use the following text: `The misconfiguration category that is related to not specifying network policies. Without specifying network policies, Kubernetes installations are susceptible to unauthorized accesses.`

9. If you get `NO_ROLLING_UPDATE,` then you can use the following text: `The misconfiguration category that is related with not explicitly specifying RollingUpdate in the configuration file. A lack of rolling updates makes a Kubernetes installation susceptible to supply chain-telated attacks.` 

10. Complete the survey (https://auburn.qualtrics.com/jfe/form/SV_ekBpwjd4TkT1tpc)