🥇33+ Kubernetes security tools

Note. transl.: If you're wondering about security issues in a Kubernetes-based infrastructure, this excellent overview from Sysdig is a great starting point for a quick introduction to today's solutions. It includes both complex systems from well-known market players, and much more modest utilities that cover a particular problem. And in the comments, we, as always, will be happy to learn about your experience in using these tools and see links to other projects.

Kubernetes security software products… there are so many, and each has its own purpose, scope, and licenses.

That is why we decided to create this list and included both open source projects and commercial platforms from various vendors. We hope it helps you choose the ones that are of most interest and point you in the right direction based on your specific Kubernetes security needs.

Scanning Kubernetes images

Anchor

Website: anchore.com
License: free (Apache) and commercial offer

The Anchore package parses container images and allows security checks based on user-defined policies.

In addition to the usual scanning of container images for known vulnerabilities from the CVE database, Anchore performs many additional checks as part of the scanning policy: checks Dockerfile, leaked credentials, packages of programming languages used (npm, maven, etc.), software licenses and much more .

Clair

Website: coreos.com/clair (now under the tutelage of Red Hat)
License: Free (Apache)

Clair was one of the first Open Source projects for image scanning. It is widely known as the security scanner behind the Quay Image Registry. (also from CoreOS - approx. transl.). Clair is able to gather information about CVEs from a wide variety of sources, including lists of Linux distribution-specific vulnerabilities maintained by the Debian, Red Hat, or Ubuntu security teams.

Unlike Anchore, Clair is mainly focused on finding vulnerabilities and matching data with CVE. However, the product does offer users some options for extending functionality through plug-in drivers.

day by day

Website: github.com/eliasgranderubio/dagda
License: Free (Apache)

Dagda statically analyzes container images for known vulnerabilities, Trojans, viruses, malware, and other threats.

The Dagda package differs from other similar tools in two notable ways:

It integrates well with ClamAV, acting not only as a tool for scanning container images, but also as an antivirus.
Also provides runtime protection by receiving real-time events from the Docker daemon and integrating with Falco (see below) to collect security events while the container is running.

KubeXray

Website: github.com/jfrog/kubexray
License: free (Apache), but requires data from JFrog Xray (commercial product)

KubeXray listens for events from the Kubernetes API server and uses metadata from JFrog Xray to ensure that only pods that match the current policy start.

KubeXray not only audits new or updated containers in deployments (similar to the admission controller in Kubernetes), but also dynamically checks running containers for compliance with new security policies, removing resources that refer to vulnerable images.

Sneak

Website: snyk.io
License: free (Apache) and commercial versions

Snyk is an unusual vulnerability scanner in the sense that it specifically targets the development process and is promoted as an "essential solution" for developers.

Snyk directly connects to code repositories, parses the project manifest, and parses imported code along with direct and indirect dependencies. Snyk supports many popular programming languages and can detect hidden license risks.

Trives

Website: github.com/knqyf263/trivy
License: Free (AGPL)

Trivy is a simple yet powerful container vulnerability scanner that integrates easily into a CI/CD pipeline. Its remarkable feature is the ease of installation and operation: the application consists of a single binary and does not require the installation of a database or additional libraries.

The downside of Trivy's simplicity is that you have to figure out how to parse and send JSON results so that other Kubernetes security tools can use them.

Runtime security in Kubernetes

Falcon

Website: falco.org
License: Free (Apache)

Falco is a suite of tools for securing cloud runtimes. Part of a project family CNCF.

Using the Sysdig toolkit for working at the Linux kernel level and profiling system calls, Falco allows you to dive deep into the behavior of the system. Its runtime rules engine is capable of detecting suspicious activity in applications, containers, the underlying host, and the Kubernetes orchestrator.

Falco provides complete transparency in runtime operation and threat detection by setting special agents on Kubernetes nodes for this purpose. As a result, there is no need to modify containers by injecting third-party code into them or hanging sidecar containers.

Linux security frameworks for runtime

These frameworks, native to the Linux kernel, are not "Kubernetes security tools" in the usual sense, but deserve a mention because they are an important element in the context of runtime security, which is included in the Kubernetes Pod Security Policy (PSP).

AppArmor attaches a security profile to processes running in a container, defining file system privileges, network access rules, linking libraries, etc. It is a system based on Mandatory Access Control (MAC). In other words, it prevents the execution of prohibited actions.

Security-Enhanced Linux (SELinux) is an advanced security module in the Linux kernel, similar in some respects to AppArmor and often compared to it. SELinux surpasses AppArmor in terms of power, flexibility, and finesse. Its disadvantages are long development and increased complexity.

Seccomp and seccomp-bpf allow you to filter system calls, block the execution of those that are potentially dangerous for the underlying OS and are not needed for the normal operation of user applications. Seccomp is similar to Falco in some ways, although it does not know the specifics of containers.

Sysdig open source

Website: www.sysdig.com/opensource
License: Free (Apache)

Sysdig is a complete tool for analyzing, diagnosing, and debugging Linux systems (also works on Windows and macOS, but with limited features). It can be used for detailed information gathering, verification and forensics (forensics) the base system and any containers running on it.

Sysdig also natively supports container executables and Kubernetes metadata, adding additional dimensions and labels to all collected system behavior information. There are several ways to analyze a Kubernetes cluster using Sysdig: you can capture a point in time via kubectl capture or run an interactive interface based on ncurses using the plugin kubectl dig.

Kubernetes network security

Aporeto

Website: www.aporeto.com
License: commercial

Aporeto offers "security separated from network and infrastructure". This means that Kubernetes services not only get a local ID (i.e. a ServiceAccount in Kubernetes), but also a universal ID/Fingerprint that can be used to interact securely and mutually verified with any other service, such as in an OpenShift cluster.

Aporeto is able to generate a unique ID not only for Kubernetes/containers but also for hosts, cloud functions and users. Depending on these identifiers and the set of network security rules set by the administrator, communications will be allowed or blocked.

Calico

Website: www.projectcalico.org
License: Free (Apache)

Calico is usually deployed during the installation of the container orchestrator, which allows you to create a virtual network that links containers. In addition to this basic networking functionality, the Calico project works with Kubernetes Network Policies and its own set of network security profiles, supports endpoint ACLs (Access Control Lists) and annotation-based network security rules for Ingress and Egress traffic.

cilium

Website: www.cilium.io
License: Free (Apache)

Cilium acts as a container firewall and provides network security features natively adapted to Kubernetes and microservices workloads. Cilium uses a new Linux kernel technology called BPF (Berkeley Packet Filter) to filter, monitor, redirect and correct data.

Cilium is able to deploy network access policies based on container IDs using Docker or Kubernetes labels and metadata. Cilium also understands and filters various layer 7 protocols such as HTTP or gRPC, allowing you to define the set of REST calls that will be allowed between two Kubernetes deployments, for example.

Istio

Website: istio.io
License: Free (Apache)

Istio is widely known for implementing the service mesh paradigm by deploying a platform-independent control plane and redirecting all managed service traffic through dynamically configurable Envoy proxies. Istio takes advantage of this advanced view of all microservices and containers to implement various network security strategies.

Istio's network security capabilities include transparent TLS encryption to automatically upgrade the communication protocol between microservices to HTTPS, and a native RBAC authentication and authorization system to allow/deny communication between different workloads in a cluster.

Note. transl.: For more information about Istio's security-focused capabilities, see this article.

tigera

Website: www.tigera.io
License: commercial

Called the "Kubernetes firewall", this solution emphasizes a zero-trust approach to network security.

Like other Kubernetes-native networking solutions, Tigera relies on metadata to identify various services and objects in a cluster and provides runtime problem detection, continuous compliance, and network visibility for multi-cloud or hybrid monolithic-containerized infrastructures.

Trireme

Website: www.aporeto.com/opensource
License: Free (Apache)

Trireme-Kubernetes is a simple and clean implementation of the Kubernetes Network Policies specification. The most notable feature is that - unlike similar Kubernetes network security products - it does not require a central control plane to coordinate the mesh (mesh). This makes the solution trivially scalable. Trireme achieves this by installing an agent on each node that connects directly to the host's TCP/IP stack.

Image distribution and secret management

Grafeas

Website: grapheas.io
License: Free (Apache)

Grafeas is an open source API for auditing and managing the software supply chain. At a basic level, Grafeas is a tool for collecting metadata and audit results. It can be used to track compliance with security best practices in an organization.

This centralized source of truth helps answer questions like:

Who assembled and signed a particular container?
Has it passed all security scanners and security policy checks? When? What were the results?
Who deployed it to production? What parameters were used during deployment?

Intoto

Website: in-toto.github.io
License: Free (Apache)

In-toto is a framework designed to provide integrity, authentication, and auditing for the entire software supply chain. When deploying In-toto to the infrastructure, a plan is first defined that describes the various steps in the pipeline (repository, CI/CD tools, QA tools, artifact builders, etc.) and the users (responsible persons) who are allowed to initiate them.

In-toto controls the execution of the plan by verifying that each task in the chain is performed properly only by authorized personnel and that no unauthorized manipulations were performed with the product during the movement.

Portieris

Website: github.com/IBM/portieris
License: Free (Apache)

Portieris is an admission controller for Kubernetes; used to enforce content trust checks. Portieris uses the server Notary (we wrote about him at the end this article — approx. transl.) as a source of truth for validating trusted and signed artifacts (that is, approved container images).

When you create or modify a workload in Kubernetes, Portieris loads the signature information and content trust policy for the requested container images and, if necessary, makes changes to the API JSON object on the fly to run the signed versions of those images.

Vault

Website: www.vaultproject.io
License: free (MPL)

Vault is a secure solution for storing sensitive information: passwords, OAuth tokens, PKI certificates, access accounts, Kubernetes secrets, and more. Vault supports many advanced features, such as renting ephemeral security tokens or organizing key rotation.

Using the Helm chart, Vault can be deployed as a new deployment in a Kubernetes cluster with Consul as backend storage. It supports native Kubernetes resources like ServiceAccount tokens and can even act as the default Kubernetes secret store.

Note. transl.: By the way, just yesterday, HashiCorp, which develops Vault, announced some improvements for using Vault in Kubernetes, and in particular, they relate to the Helm chart. Read the details in developer blog.

Kubernetes security audit

Kube-bench

Website: github.com/aquasecurity/kube-bench
License: Free (Apache)

Kube-bench is a Go application that checks if Kubernetes is deployed safely by running tests from a list CIS Kubernetes Benchmark.

Kube-bench looks for insecure configuration settings among cluster components (etcd, API, controller manager, etc.), questionable file permissions, insecure accounts or open ports, resource quotas, API call limit settings to protect against DoS attacks, etc.

Be a hunter

Website: github.com/aquasecurity/kube-hunter
License: Free (Apache)

Kube-hunter "hunts" for potential vulnerabilities (like remote code execution or data disclosure) in Kubernetes clusters. Kube-hunter can be run as a remote scanner - in which case it will evaluate the cluster from the point of view of a third-party attacker - or as a pod within the cluster.

A distinctive feature of Kube-hunter is the “active hunt” mode, during which it not only reports problems, but also tries to exploit vulnerabilities found in the target cluster that could potentially harm its operation. So use with caution!

Kubeaudit

Website: github.com/Shopify/kubeaudit
License: Free (MIT)

Kubeaudit is a console tool originally developed by Shopify to audit your Kubernetes configuration for various security issues. For example, it helps identify containers that are running indiscriminately, running as root, abusing privileges, or using the default ServiceAccount.

Kubeaudit has other interesting features as well. For example, it can parse local YAML files, identify configuration flaws that could lead to security issues, and automatically fix them.

Kubesec

Website: kubesec.io
License: Free (Apache)

Kubesec is special in that it directly scans Kubernetes resource YAML files for weak settings that could affect security.

For example, it can detect excessive privileges and permissions granted to a pod, running a container with root as the default user, connecting to the host's network namespace, or dangerous mounts like /proc host or Docker socket. Another interesting feature of Kubesec is an online demo service where you can upload YAML and immediately analyze it.

Open Policy Agent

Website: www.openpolicyagent.org
License: Free (Apache)

The concept of OPA (Open Policy Agent) is to separate security policies and security best practices from a specific runtime platform: Docker, Kubernetes, Mesosphere, OpenShift, or any combination of them.

For example, you can deploy OPA as a backend for a Kubernetes admission controller, delegating security decisions to it. In this way, the OPA agent will be able to check, deny, and even modify requests on the fly, ensuring that the specified security parameters are respected. The security policies in OPA are written in its own DSL, Rego.

Note. transl.: We wrote more about OPA (and SPIFFE) in this stuff.

Comprehensive Commercial Kubernetes Security Analysis Tools

We decided to create a separate category for commercial platforms, as they tend to cover several areas of security at once. A general idea of their capabilities can be obtained from the table:

* Advanced expertise and post mortem analysis with complete system call capture.

AquaSecurity

Website: www.aquasec.com
License: commercial

This commercial tool is designed for containers and cloud workloads. It provides:

Image scanning integrated with container registry or CI/CD pipeline;
Runtime protection with the search for changes in containers and other suspicious activity;
Native container firewall;
Security for serverless in cloud services;
Compliance and audit combined with event logging.

Note. transl.: It is also worth noting that there are free component of the product called microscanner, which allows you to scan container images for vulnerabilities. Comparison of its features with paid versions is presented in this table.

Capsule8

Website: capsule8.com
License: commercial

Capsule8 integrates into the infrastructure by installing the detector in a local or cloud Kubernetes cluster. This detector collects host and network telemetry, correlating it with various types of attacks.

The Capsule8 team is committed to early detection and prevention of attacks using fresh (0-day) vulnerabilities. Capsule8 can upload updated security rules directly to detectors in response to newly discovered threats and software vulnerabilities.

Cavirin

Website: www.cavirin.com
License: commercial

Cavirin acts as a company counterparty to various security standards agencies. Not only can it scan images, but it can also integrate into the CI/CD pipeline, blocking non-compliant images before they enter private repositories.

The Cavirin Security Suite uses machine learning to assess the state of cybersecurity, offers advice on how to increase security and improve security compliance.

Google Cloud Security Command Center

Website: cloud.google.com/security-command-center
License: commercial

Cloud Security Command Center helps security teams collect data, identify threats, and remediate them before they harm the company.

As the name implies, Google Cloud SCC is a unified control panel that can integrate and manage various security reports, asset tracking engines, and third-party security systems from a single, centralized source.

The interoperable API offered by Google Cloud SCC facilitates the integration of security events coming from various sources such as Sysdig Secure (container security for cloud-native applications) or Falco (Open Source runtime security).

Layered Insight (Qualys)

Website: layeredinsight.com
License: commercial

Layered Insight (now part of Qualys Inc) is built on the concept of "embedded security". After scanning the original image for vulnerabilities using statistical analysis methods and performing CVE checks, Layered Insight replaces it with an instrumented image that includes an agent in the form of a binary.

This agent contains runtime security tests to analyze container network traffic, I/O flows, and application activity. In addition, it can perform additional security checks specified by the infrastructure administrator or DevOps teams.

NeuVector

Website: neuvector.com
License: commercial

NeuVector performs container security checks and runtime protection by analyzing network activity and application behavior, creating an individual security profile for each container. It can also block threats on its own by isolating suspicious activity by modifying local firewall rules.

NeuVector's network integration, known as Security Mesh, is capable of deep packet inspection and layer 7 filtering for all network connections in a service mesh.

stackrox

Website: www.stackrox.com
License: commercial

The StackRox container security platform aims to cover the entire life cycle of Kubernetes applications in a cluster. Like other commercial platforms on this list, StackRox generates a runtime profile based on observed container behavior and automatically raises an alarm on any deviations.

In addition, StackRox analyzes Kubernetes configurations using CIS Kubernetes and other rulebooks to evaluate container compliance.

Sysdig Secure

Website: sysdig.com/products/secure
License: commercial

Sysdig Secure protects applications throughout the container and Kubernetes lifecycle. He scans images containers, provides runtime protection according to machine learning, performs crim. expertise to identify vulnerabilities, blocks threats, monitors compliance with established standards and audits activity in microservices.

Sysdig Secure integrates with CI/CD tools such as Jenkins and controls images loaded from Docker registries, preventing dangerous images from appearing in production. It also provides comprehensive runtime security, including:

ML-based runtime profiling and anomaly detection;
runtime policies based on system events, K8s-audit API, joint community projects (FIM - file integrity monitoring; cryptojacking) and framework MITRE ATT & CK;
response and elimination of incidents.

Tenable Container Security

Website: www.tenable.com/products/tenable-io/container-security
License: commercial

Before the advent of containers, Tenable was widely known in the industry as the company that developed Nessus, a popular vulnerability finding and security auditing tool.

Tenable Container Security leverages the company's expertise in computer security to integrate a CI/CD pipeline with vulnerability databases, specialized malware detection packages, and security advisories.

Twistlock (Palo Alto Networks)

Website: www.twistlock.com
License: commercial

Twistlock promotes itself as a platform focused on cloud services and containers. Twistlock supports various cloud providers (AWS, Azure, GCP), container orchestrators (Kubernetes, Mesospehere, OpenShift, Docker), serverless runtimes, mesh frameworks, and CI/CD tools.

In addition to the usual enterprise-level security methods such as CI/CD pipeline integration or image scanning, Twistlock uses machine learning to generate container-specific behavior patterns and network rules.

Some time ago, Twistlock was bought by Palo Alto Networks, which owns the Evident.io and RedLock projects. It is not yet known exactly how these three platforms will be integrated into PRISMA from Palo Alto.

Help build the best Kubernetes security tool catalog!

We strive to make this catalog as complete as possible, and for this we need your help! Contact us (@sysdig) if you have a cool tool in mind that deserves to be included in this list, or you find a bug/outdated information.

You can also subscribe to our monthly newsletter with news of the cloud-native ecosystem and stories about interesting projects from the world of Kubernetes security.

33+ Kubernetes security tools

Categories