The main of this page is to compare the existing k8S security tests versus the Kubescape tool developed according to NSA recommendations.
.. Integration Security tests are deployed (some tests are developped internally) by integration Teams. ::
Security Tests
Security Tests
Tests | Description | Code | Comments |
|---|---|---|---|
root_pods | check that pods are nor using root user or started as root | kubectl | |
unlimitted_pods | check that limits are set for pods | kubectl | |
cis_kubernetes | perform the k8s cis test suite (upstream src aquasecurity) | ||
nonssl_endpoints | check that all public HTTP endpoints exposed in ONAP cluster use SSL tunnels | kubetl, nmap | |
http_public_endpoints | check that there is no public http endpoints exposed in ONAP cluster | kubectl,nmap | |
jdpw_ports | check that there are no internal java ports | kubectl, procfs | |
kube_hunter | security suite to search k8s vulnerabilities (upstream src aquasecurity) | ||
versions | check that Java and Python are available only in versions recommended by SECCOM. This test is long and run only in Weekly CI chains | cerberus, kubernetes python lib, | |
tern | Check the component licenses within the ONAP dockers | kubectl |
Example of a scorecard:
The outcome includes the possibility to accept somes failures and to increase the outcome (main 100%).
...