Security Audit in Kubernetes

Table of Contents


  • A kubernetes cluster: minikube, kind, or any kubernetes flavor.
  • Starboard CLI or starboard operator

Create a cluster kubernetes using Kind

See the kind.yaml

kind create cluster --name k8s-local --config kind.yaml --image kindest/node:v1.20.7
 kind create cluster --name k8s-local --config kind.yaml --image kindest/node:v1.20.7
Creating cluster "k8s-local" ...
 ✓ Ensuring node image (kindest/node:v1.20.7) 🖼
 ✓ Preparing nodes 📦 📦 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
 ✓ Joining worker nodes 🚜
Set kubectl context to "kind-k8s-local"
You can now use your cluster with:

kubectl cluster-info --context kind-k8s-local

Not sure what to do next? 😅  Check out

Validate the pods kubectl get pods -A

k get pods -A
NAMESPACE            NAME                                              READY   STATUS    RESTARTS   AGE
kube-system          coredns-74ff55c5b-gtrql                           1/1     Running   0          5m22s
kube-system          coredns-74ff55c5b-jpt4c                           1/1     Running   0          5m22s
kube-system          etcd-k8s-local-control-plane                      1/1     Running   0          5m23s
kube-system          kindnet-6ns7f                                     1/1     Running   0          5m11s
kube-system          kindnet-98fx6                                     1/1     Running   0          5m11s
kube-system          kindnet-lx47p                                     1/1     Running   0          5m22s
kube-system          kube-apiserver-k8s-local-control-plane            1/1     Running   0          5m23s
kube-system          kube-controller-manager-k8s-local-control-plane   1/1     Running   0          5m23s
kube-system          kube-proxy-5xjkb                                  1/1     Running   0          5m11s
kube-system          kube-proxy-ptfm5                                  1/1     Running   0          5m11s
kube-system          kube-proxy-tzz5m                                  1/1     Running   0          5m22s
kube-system          kube-scheduler-k8s-local-control-plane            1/1     Running   0          5m23s
local-path-storage   local-path-provisioner-547f784dff-vc47c           1/1     Running   0          5m22s

Checking the nodes kubectl get nodes -o wide

 k get nodes -o wide
k8s-local-control-plane   Ready    control-plane,master   6m34s   v1.20.7    <none>        Ubuntu 21.04   5.10.25-linuxkit   containerd://1.5.2
k8s-local-worker          Ready    <none>                 6m6s    v1.20.7    <none>        Ubuntu 21.04   5.10.25-linuxkit   containerd://1.5.2
k8s-local-worker2         Ready    <none>                 6m6s    v1.20.7    <none>        Ubuntu 21.04   5.10.25-linuxkit   containerd://1.5.2

Starboard Installation

kubectl krew install starboard
kubectl krew install starboard

Updated the local copy of plugin index.
Installing plugin: starboard
Installed plugin: starboard
 | Use this plugin:
 | 	kubectl starboard
 | Documentation:
 | Caveats:
 | \
 |  | The plugin requires access to create Jobs and CustomResources.
 | /
WARNING: You installed plugin "starboard" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

Checking the starboard version

kubectl starboard version
Starboard Version: {Version:0.12.0 Commit:7b7db3acb673a7aaed50839aed168cba8163230a Date:2021-09-15T17:30:09Z}

Send custom resource definitions to the Kubernetes API:

kubectl apply -f \
  -f \
  -f \
kubectl apply -f \
  -f \
  -f \
  -f created created created created

Send the following Kubernetes objects definitions to the Kubernetes API:

kubectl apply -f \
  -f \
  -f \
kubectl apply -f \
  -f \
  -f \

namespace/starboard-operator created
serviceaccount/starboard-operator created created created

Validate the resources

kubectl get crd
k get crd
NAME                                               CREATED AT         2021-11-01T18:11:39Z   2021-11-01T18:11:39Z          2021-11-01T18:11:39Z        2021-11-01T18:11:39Z

create the starboard-operator Deployment in the starboard-operator

kubectl apply -f
 kubectl apply -f

deployment.apps/starboard-operator created

kubectl get all -n starboard-operator
kubectl get all -n starboard-operator
NAME                                      READY   STATUS    RESTARTS   AGE
pod/starboard-operator-665549dfdf-xpkj4   1/1     Running   0          22m

NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/starboard-operator   1/1     1            1           22m

NAME                                            DESIRED   CURRENT   READY   AGE
replicaset.apps/starboard-operator-665549dfdf   1         1         1       22m

Initialize Starboard

kubectl starboard init -v 3
kubectl starboard init -v 3
I1101 15:44:32.535644   60027 installer.go:371] Updating CRD ""
I1101 15:44:32.553407   60027 installer.go:371] Updating CRD ""
I1101 15:44:32.565327   60027 installer.go:377] Creating CRD ""
I1101 15:44:32.581302   60027 installer.go:371] Updating CRD ""
I1101 15:44:32.596900   60027 installer.go:371] Updating CRD ""
I1101 15:44:32.608481   60027 installer.go:309] Creating Namespace "starboard"
I1101 15:44:32.680899   60027 installer.go:324] Creating ServiceAccount "starboard/starboard"
I1101 15:44:32.694457   60027 installer.go:341] Creating ClusterRole "starboard"
I1101 15:44:32.708129   60027 installer.go:359] Creating ClusterRoleBinding "starboard"

Workloads scanning

Using Starboard Operator, after create a deployment, you will get the audit reports about this.

kubectl create deployment nginx --image nginx:1.16
kubectl create deployment nginx --image nginx:1.16
deployment.apps/nginx created

kubectl get job -n starboard-operator
 kubectl get job -n starboard-operator
NAME                                  COMPLETIONS   DURATION   AGE
scan-configauditreport-866469b84d     0/1           18s        18s
scan-vulnerabilityreport-866469b84d   0/1           18s        18s

kubectl get vulnerabilityreports -o wide
kubectl get vulnerabilityreports -o wide
NAME                                REPOSITORY      TAG    SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
replicaset-nginx-6d4cf56db6-nginx   library/nginx   1.16   Trivy     12m   25         85     84       15    0

kubectl get configauditreports -o wide
kubectl get configauditreports -o wide
NAME                          SCANNER   AGE   DANGER   WARNING   PASS
replicaset-nginx-6d4cf56db6   Polaris   13m   1        9         7

kubectl tree deploy nginx
 kubectl tree deploy nginx
NAMESPACE  NAME                                                       READY  REASON  AGE
default    Deployment/nginx                                           -              14m
default    └─ReplicaSet/nginx-6d4cf56db6                              -              14m
default      ├─ConfigAuditReport/replicaset-nginx-6d4cf56db6          -              13m
default      ├─Pod/nginx-6d4cf56db6-hvvz5                             True           14m
default      └─VulnerabilityReport/replicaset-nginx-6d4cf56db6-nginx  -              13m

Updating the workload

kubectl set image deployment nginx nginx=nginx:1.17
kubectl set image deployment nginx nginx=nginx:1.17
deployment.apps/nginx image updated

kubectl get job -n starboard-operator
kubectl get job -n starboard-operator

NAME                                 COMPLETIONS   DURATION   AGE
scan-configauditreport-9f45bbddd     0/1           7s         7s
scan-vulnerabilityreport-9f45bbddd   0/1           7s         7s

kubectl tree deploy nginx
 kubectl tree deploy nginx
NAMESPACE  NAME                                                       READY  REASON  AGE
default    Deployment/nginx                                           -              33m
default    ├─ReplicaSet/nginx-6d4cf56db6                              -              33m
default    │ ├─ConfigAuditReport/replicaset-nginx-6d4cf56db6          -              32m
default    │ └─VulnerabilityReport/replicaset-nginx-6d4cf56db6-nginx  -              32m
default    └─ReplicaSet/nginx-db749865c                               -              2m6s
default      ├─ConfigAuditReport/replicaset-nginx-db749865c           -              117s
default      ├─Pod/nginx-db749865c-fxtb5                              True           2m6s
default      └─VulnerabilityReport/replicaset-nginx-db749865c-nginx   -              113s

kubectl get vulnerabilityreport -o wide
kubectl get vulnerabilityreport -o wide
NAME                                REPOSITORY      TAG    SCANNER   AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
replicaset-nginx-6d4cf56db6-nginx   library/nginx   1.16   Trivy     33m     25         85     84       15    0
replicaset-nginx-db749865c-nginx    library/nginx   1.17   Trivy     2m40s   25         83     82       15    0

This steps is based on the Starboard Documentation here

Kubernetes Benchmarks for Best Practice Security


kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Using starboard operator, automatically was created the CIS Kube-bench report.

Validating that the report was created.

kubectl get nodes
kubectl get nodes
NAME                      STATUS   ROLES                  AGE     VERSION
k8s-local-control-plane   Ready    control-plane,master   4h36m   v1.20.7
k8s-local-worker          Ready    <none>                 4h35m   v1.20.7
k8s-local-worker2         Ready    <none>                 4h35m   v1.20.7

Check the CIS kube-bench reports

kubectl get ciskubebenchreports -o wide
kubectl get ciskubebenchreports -o wide
NAME                      SCANNER      AGE     FAIL   WARN   INFO   PASS
k8s-local-control-plane   kube-bench   4h47m   11     41     0      70
k8s-local-worker          kube-bench   4h47m   1      27     0      19
k8s-local-worker2         kube-bench   4h47m   1      27     0      19

kubectl tree node k8s-local-control-plane -A
kubectl tree node k8s-local-control-plane -A
NAMESPACE        NAME                                                   READY  REASON        AGE
                 Node/k8s-local-control-plane                           True   KubeletReady  4h36m
                 ├─CISKubeBenchReport/k8s-local-control-plane           -                    4h8m
                 ├─CSINode/k8s-local-control-plane                      -                    4h36m
kube-node-lease  ├─Lease/k8s-local-control-plane                        -                    4h36m
kube-system      ├─Pod/etcd-k8s-local-control-plane                     True                 4h36m
kube-system      ├─Pod/kube-apiserver-k8s-local-control-plane           True                 4h36m
kube-system      ├─Pod/kube-controller-manager-k8s-local-control-plane  True                 4h36m
kube-system      └─Pod/kube-scheduler-k8s-local-control-plane           True                 4h36m

Generate the Audit Report HTML

Generate the report HTML using starboard CLI

kubectl starboard get report nodes/k8s-local-worker > node01-report.html



kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments.

Using the starboard CLI

kubectl starboard scan kubehunterreports -v 3
kubectl starboard scan kubehunterreports -v 3
I1101 20:37:49.893737   84246 runner.go:79] Running task and waiting forever
I1101 20:37:49.894952   84246 runnable_job.go:74] Creating job "starboard/scan-kubehunterreports-7594df9b45"
I1101 20:37:49.930856   84246 reflector.go:219] Starting reflector *v1.Event (30m0s) from pkg/mod/
I1101 20:37:49.930883   84246 reflector.go:255] Listing and watching *v1.Event from pkg/mod/
I1101 20:37:49.930884   84246 reflector.go:219] Starting reflector *v1.Job (30m0s) from pkg/mod/
I1101 20:37:49.930923   84246 reflector.go:255] Listing and watching *v1.Job from pkg/mod/
I1101 20:37:49.970120   84246 runnable_job.go:130] Event: Created pod: scan-kubehunterreports-7594df9b45-vspcf (SuccessfulCreate)
I1101 20:38:16.993574   84246 runnable_job.go:130] Event: Job completed (Completed)
I1101 20:38:17.006340   84246 runnable_job.go:109] Stopping runnable job on task completion with status: Complete
I1101 20:38:17.006513   84246 runner.go:83] Stopping runner on task completion with error: <nil>
I1101 20:38:17.007331   84246 scanner.go:81] Getting logs for kube-hunter container in job: starboard/scan-kubehunterreports-7594df9b45
I1101 20:38:17.073891   84246 scanner.go:73] Deleting job: starboard/scan-kubehunterreports-7594df9b45

kubectl get kubehunterreports -o wide
kubectl get kubehunterreports -o wide
cluster   kube-hunter   97s   0      0        1

In case of any problem, take a look in the jobs generated.

k -n starboard get jobs
k -n starboard get jobs
NAME                                COMPLETIONS   DURATION   AGE
scan-kubehunterreports-7594df9b45   0/1           13s        13s

Scanning Workloads for Misconfigurations


Starboard used Polaris by default as a configuration checker. More details here

After it was installed Starboard Operator, it was generated the config audit reports using Polaris

kubectl get -o wide
kubectl get -o wide
NAME                          SCANNER   AGE     DANGER   WARNING   PASS
replicaset-nginx-6d4cf56db6   Polaris   5h10m   1        9         7
replicaset-nginx-db749865c    Polaris   4h39m   1        9         7

More details about Starboard and Polaris here

kubectl get configauditreports replicaset-nginx-db749865c -o yaml
k get configauditreports replicaset-nginx-db749865c -o yaml
kind: ConfigAuditReport
  creationTimestamp: "2021-11-01T19:21:32Z"
  generation: 1
    plugin-config-hash: 7dfd59f689
    resource-spec-hash: 854ff96cb4
    starboard.resource.kind: ReplicaSet nginx-db749865c
    starboard.resource.namespace: default
  name: replicaset-nginx-db749865c
  namespace: default
  - apiVersion: apps/v1
    blockOwnerDeletion: false
    controller: true
    kind: ReplicaSet
    name: nginx-db749865c
    uid: 1e12873c-f5f4-4e2d-b55c-00d5e81f9874
  resourceVersion: "10985"
  uid: 971664af-d4d4-4859-b8f6-53659269c381
  - category: Security
    checkID: hostIPCSet
    message: Host IPC is not configured
    severity: danger
    success: true
  - category: Security
    checkID: hostNetworkSet
    message: Host network is not configured
    severity: warning
    success: true
  - category: Security
    checkID: hostPIDSet
    message: Host PID is not configured
    severity: danger
    success: true
  - category: Efficiency
    checkID: cpuLimitsMissing
    message: CPU limits should be set
      type: Container
      value: nginx
    severity: warning
    success: false
  - category: Efficiency
    checkID: memoryRequestsMissing
    message: Memory requests should be set
      type: Container
      value: nginx
    severity: warning
    success: false
  - category: Efficiency
    checkID: cpuRequestsMissing
    message: CPU requests should be set
      type: Container
      value: nginx
    severity: warning
    success: false
  - category: Security
    checkID: dangerousCapabilities
    message: Container does not have any dangerous capabilities
      type: Container
      value: nginx
    severity: danger
    success: true


Conftest uses the Rego language from Open Policy Agent for writing tests against structured configuration data.

By default Starboard used Polaris, we could check the default configuration checker:

kubectl -n starboard get cm starboard -o yaml | grep configAuditReports
kubectl -n starboard get cm starboard -o yaml | grep configAuditReports -A 5
  configAuditReports.scanner: Polaris
  kube-hunter.quick: "false"
  vulnerabilityReports.scanner: Trivy
kind: ConfigMap

To use Conftest, we need to edit the configmap 'starboard' in the namespace used by the starboard CLI:

kubectl patch cm starboard -n starboard \
 --type merge \
 -p "$(cat <<EOF
 "data": {
   "configAuditReports.scanner": "Conftest"


AppShield is a collection of policies for detecting mis-configurations, specifically security issues, in configuration files and Infrastructure as Code definitions.

git clone
cd appshield

Following the starboard about Conftest documentation, we create the configmap starboard-conftest-config with the OPA libraries called kubernetes.rego and utils.rego.

More details here in the starboard documentation

kubectl create configmap starboard-conftest-config -n starboard \
  --from-literal=conftest.imageRef=openpolicyagent/conftest:v0.25.0 \
  --from-file=conftest.policy.kubernetes.rego=kubernetes/lib/kubernetes.rego \
  --from-file=conftest.policy.utils.rego=kubernetes/lib/utils.rego \
  --from-file=conftest.policy.file_system_not_read_only.rego=kubernetes/policies/general/file_system_not_read_only.rego \

Validate the configmap created kubectl -n starboard get cm

k -n starboard get cm
NAME                        DATA   AGE
kube-root-ca.crt            1      8h
starboard                   5      8h
starboard-conftest-config   5      19s
starboard-polaris-config    6      8h
starboard-trivy-config      7      8h

Create a sample deployment to validate the conftest audit report:

kubectl create deployment redis --image redis

Using the starboard CLI, we will scan the redis deployment resource:

kubectl starboard scan configauditreports deployment/redis -v 3
kubectl starboard scan configauditreports deployment/redis -v 3
I1102 00:01:28.406124    3236 scanner.go:67] Scanning with options: {ScanJobTimeout:0s DeleteScanJob:true}
I1102 00:01:28.431293    3236 runner.go:79] Running task and waiting forever
I1102 00:01:28.431383    3236 runnable_job.go:67] Creating secret "starboard/scan-configauditreport-5d47d7484c-volume"
I1102 00:01:28.450068    3236 runnable_job.go:74] Creating job "starboard/scan-configauditreport-5d47d7484c"
I1102 00:01:28.468978    3236 runnable_job.go:81] Setting owner reference secret "starboard/scan-configauditreport-5d47d7484c-volume" -> job "starboard/scan-configauditreport-5d47d7484c"
I1102 00:01:28.469004    3236 runnable_job.go:86] Updating secret "starboard/scan-configauditreport-5d47d7484c-volume"
I1102 00:01:28.494000    3236 reflector.go:219] Starting reflector *v1.Event (30m0s) from pkg/mod/
I1102 00:01:28.494007    3236 reflector.go:219] Starting reflector *v1.Job (30m0s) from pkg/mod/
I1102 00:01:28.494028    3236 reflector.go:255] Listing and watching *v1.Event from pkg/mod/
I1102 00:01:28.494032    3236 reflector.go:255] Listing and watching *v1.Job from pkg/mod/
I1102 00:01:28.550332    3236 runnable_job.go:130] Event: Created pod: scan-configauditreport-5d47d7484c-l7j2t (SuccessfulCreate)
I1102 00:01:37.957274    3236 runnable_job.go:130] Event: Job completed (Completed)
I1102 00:01:37.969905    3236 runnable_job.go:109] Stopping runnable job on task completion with status: Complete
I1102 00:01:37.969933    3236 runner.go:83] Stopping runner on task completion with error: <nil>
I1102 00:01:37.969942    3236 scanner.go:99] Getting logs for conftest container in job: starboard/scan-configauditreport-5d47d7484c
I1102 00:01:38.045587    3236 scanner.go:90] Deleting scan job: starboard/scan-configauditreport-5d47d7484c

Check the config audit report using Conftest:

k get configauditreports -o wide
k get configauditreports -o wide
NAME                          SCANNER    AGE     DANGER   WARNING   PASS
deployment-redis              Conftest   118s    2        0         0
replicaset-nginx-6d4cf56db6   Polaris    8h      1        9         7
replicaset-nginx-db749865c    Polaris    7h42m   1        9         7
replicaset-redis-6749d7bd65   Polaris    6m52s   2        9         6

kubectl get configauditreport deployment-redis -o yaml
kubectl get configauditreport deployment-redis -o yaml
kind: ConfigAuditReport
  creationTimestamp: "2021-11-02T03:01:38Z"
  generation: 1
    plugin-config-hash: 9657c9b65
    resource-spec-hash: 76477b55b7
    starboard.resource.kind: Deployment redis
    starboard.resource.namespace: default
  name: deployment-redis
  namespace: default
  - apiVersion: apps/v1
    blockOwnerDeletion: false
    controller: true
    kind: Deployment
    name: redis
    uid: fc5f4178-0489-40fb-82fd-848dd04c2b19
  resourceVersion: "45389"
  uid: 2a2aba85-a07f-480b-9aeb-e0ccbe2bbdee
  - category: Security
    checkID: Image tag ':latest' used
    message: Container 'redis' of Deployment 'redis' should specify an image tag
    severity: danger
    success: false
  - category: Security
    checkID: Root file system is not read-only
    message: Container 'redis' of Deployment 'redis' should set 'securityContext.readOnlyRootFilesystem'
      to true
    severity: danger
    success: false
  containerChecks: {}
  - category: Security
    checkID: Image tag ':latest' used
    message: Container 'redis' of Deployment 'redis' should specify an image tag
    severity: danger
    success: false
  - category: Security
    checkID: Root file system is not read-only
    message: Container 'redis' of Deployment 'redis' should set 'securityContext.readOnlyRootFilesystem'
      to true
    severity: danger
    success: false
    name: Conftest
    vendor: Open Policy Agent
    version: v0.25.0
    dangerCount: 2
    passCount: 0
    warningCount: 0
  updateTimestamp: "2021-11-02T03:01:38Z"


Installing the Starboard Lens Extension provides visibility into vulnerability assessment reports for Kubernetes workloads stored as custom resources.

Latest release to install in Lens:

Trivy image scanning