Validkube Enables Developers To Secure And Clean Kubernetes YAML Code

Validkube Enables Developers To Secure And Clean Kubernetes YAML Code

·

6 min read

Kubernetes configuration files and object definitions are most commonly written in YAML files. As these files define how things run on our clusters, improving YAML file security and flow is important. Among the most crucial things, our files need to be audited and validated before being applied to our Kubernetes clusters. Misconfigurations such as escalated container privileges and missing keys have to be avoided at all costs, as these can open access to unauthorized users.

Luckily, there are many Kubernetes security tools that have been emerging such as Kubescape and ValidKube. In order to take advantage of these tools, they should be implemented in your Kubernetes workflow - especially in the case of ValidKube, as will be described.

In today article, we are focusing on ValidKube and how to apply the tool.

ValidKube

ValidKube is a new open-source tool that combines several tools to make it easier to validate, clean, and secure Kubernetes YAML configuration files.

ValidKube from Komodor which is a free tool used to validate and enforce Kubernetes best practices on your manifests and configuration files, folding in multiple open-source tools.

ValidKube tool is used to:

  • Validate configuration files
  • Clean manifest files
  • Scan and secure your YAML files by ensuring best practice

You don't need special skills or cram commands just to use ValidKube, as it is an online web tool.

All you need to do is paste your YAML contents and choose if you want to clean, audit, secure, or validate the YAML contents.

image.png

In this tutorial, you will learn how to clean and secure your manifests using ValidKube and Kubescape.

This tutorial will cover the following points

  • Scanning and securing your manifests using Validkube
  • How to audit and validate your YAML files using Kubescape, and scanning clusters against security frameworks

Conclusion

Prerequisites

You need a running Kubernetes cluster, as well as the KUBECONFIG for it.

Scanning and securing your manifests using Validkube

ValidKube is great at catching common Kubernetes manifest misconfigurations, such as missing keys and null values. You can validate any type of Kubernetes resource or object. In this tutorial, I will show you how to validate and secure a deployment object. Here are the contents of a sample deployment:

image.png

Copy the above YAML and paste it on ValidKube, click on the validate text button to validate the YAML file:

image.png

When you click on the validate button ValidKube immediately outputs the results, which should appear on the right hand side showing the following:

image.png

But, If I enter an invalid value on the replica field, changing it from 1 to a string, ValidKube will give out the expected value type which is the integer type:

image.png

Validkube uses Kubeval to validate the deployment object. Kubeval is a command line that validates YAML files by comparing them to Kubernetes generated API schemas.

Cleaning a YAML file using ValidKube

Next, click on the clean text button on ValidKube to clean up the YAML file. Under the hood, ValidKube uses Kube-neat to format, reorganize, and remove clutter from the provided YAML file. Here are the results of the cleaning procedure using kube-neat.

image.png

ValidKube has cleaned the deployed YAML file by formatting the contents and added the volumeMount which was missing. This process of linting, or removing clutter and formatting files the right way makes it easy for code reviewers because they won't be reviewing unnecessary code lines.

Carrying out security analysis using ValidKube

ValidKube uses Trivy from AquaSecurity to check security vulnerabilities. Trivy is a tool that scans images and clusters looking for security vulnerabilities. Here are the security scan results after clicking on the secure text button on our sample deployment file from earlier:

image.png

The results will start by summing up the failure and specifying the detected misconfiguration together with its description:

image.png

Next, you will get a suggested solution to the detected vulnerabilities:

Resolution: Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'. Severity: MEDIUM Status: FAIL Title: Process can elevate its own privileges Type: Kubernetes Security Check

  • Description: The container should drop all default capabilities and add only those that are needed for its execution. ID: KSV003 IacMetadata: {} Layer: {} Message: Container 'server' of Deployment 'boemo-app' should add 'ALL' to 'securityContext.capabilities.drop' Namespace: appshield.kubernetes.KSV003 PrimaryURL: avd.aquasec.com/appshield/ksv003 Query: data.appshield.kubernetes.KSV003.deny References:
  • Description: '''runAsNonRoot'' forces the running image to run as a non-root user to ensure least privileges.' ID: KSV012 IacMetadata: {} Layer: {} Message: Container 'server' of Deployment 'boemo-app' should set 'securityContext.runAsNonRoot' to true Namespace: appshield.kubernetes.KSV012 PrimaryURL: avd.aquasec.com/appshield/ksv012 Query: data.appshield.kubernetes.KSV012.deny References:
  • Description: An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. ID: KSV014 IacMetadata: {} Layer: {} Message: Container 'server' of Deployment 'boemo-app' should set 'securityContext.readOnlyRootFilesystem' to true Namespace: appshield.kubernetes.KSV014 PrimaryURL: avd.aquasec.com/appshield/ksv014 Query: data.appshield.kubernetes.KSV014.deny References:
  • Description: Force the container to run with user ID > 10000 to avoid conflicts with the host's user table. ID: KSV020 IacMetadata: {} Layer: {} Message: Container 'server' of Deployment 'boemo-app' should set 'securityContext.runAsUser'

    10000 Namespace: appshield.kubernetes.KSV020 PrimaryURL: avd.aquasec.com/appshield/ksv020 Query: data.appshield.kubernetes.KSV020.deny References:

ValidKube will categorize the level of impact the vulnerability can make if exploited. The levels range is Low, Medium and High. Vulnerabilities that are classified as high should be solved immediately, but you should not forget about the lower-classified issues either. They will be marked as failures alongside your other results:

image.png

Auditing YAML files with ValidKube

For the auditing procedure, ValidKube uses the Fairwinds Polaris tool which scans clusters looking for misconfigurations. Here are the results of the audit scan after clicking on the audit button:

image.png

ValidKube will categorize issues found in the audit into efficiency and security groups. If a vulnerability belongs to the efficiency category it means that it affects the cluster's performance. For example, the followin report notes efficiency issues around CPU limits and requests not being configured:

image.png

Alongside the efficiency issues, you will get notified if your container has dangerous capabilities:

image.png

All fields that do not have values will be detected and displayed:

image.png

Conclusion ValidKube is the tool that you should use to combat security vulnerabilities on a daily basis. Prevention is better than the cure.

ValidKube will surely improve your productivity and workflow as it audits, secures and validates files you pass to it, and bundles multiple useful scans.