k-rail - Kubernetes security tool for policy enforcement

  •        41

k-rail is a workload policy enforcement tool for Kubernetes. It can help you secure a multi tenant cluster with minimal disruption and maximum velocity. By leveraging the first three features you can quickly and easily roll out enforcement to deployments without breaking them and monitor violations with confidence. The interactive feedback informs and educates engineers during future policy violations.

https://github.com/cruise-automation/k-rail

Tags
Implementation
License
Platform

   




Related Projects

kubernetes-security-best-practice - Kubernetes Security - Best Practice Guide

  •    

This document acts as a best practice guide to Kubernetes security. K8s is a powerful platform which can be abused in many ways if not configured properly. The authors of this guide are running Kubernetes in production and worked on several K8s projects to learn about security flaws the hard way. The severity or importance of each topic is indicated by an emoji in the topic name.

kube-scan - kube-scan: Octarine k8s cluster risk assessment tool

  •    Go

Try our free Kubernetes risk assessment tool today. Run it on any cluster at any time. No data leaves your cluster. We do not collect any information. For more information on Octarine see https://www.octarinesec.com. Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System.

Cilium - eBPF-based Networking, Security, and Observability

  •    Go

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes.

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA

  •    Go

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.


kubernetes-network-policy-recipes - Example recipes for Kubernetes Network Policies that you can just copy paste

  •    

You can get stuff like this with Network Policies... This repository contains various use cases of Kubernetes Network Policies and sample YAML files to leverage in your setup. If you ever wondered how to drop/restrict traffic to applications running on Kubernetes, read on.

MicroK8s - The smallest, fastest Kubernetes

  •    Python

MicroK8s is the smallest, fastest Kubernetes, Single-package fully conformant lightweight Kubernetes that works on 42 flavours of Linux. It is suitable for Developer workstations, IoT, CI/CD, Edge. MicroK8s is small, with sensible defaults that ‘just work’. A quick install, easy upgrades and great security make it perfect for micro clouds and edge computing.

katlas - A distributed graph-based platform to automatically collect, discover, explore and relate multi-cluster kubernetes resources and metadata

  •    Go

K-Atlas (pronounced Cutlass), is a distributed graph based platform to automatically collect, discover, explore and relate multi-cluster Kubernetes resources and metadata. K-Atlas's rich query language allows for simple and efficient exploration and extensibility. It addresses following problems in a large scale enterprise environment of Kubernetes.

Kubernetes_Security_Specialist_Study_Guide

  •    HCL

The CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking out technical knowledge about Kubernetes. This repository contains resources to build a Kubernetes cluster, and example questions and answers based on the Certified Kubernetes Security Specialist (CKS) exam curriculum.

kubeadm-ha - Kubernetes high availiability deploy based on kubeadm (for v1

  •    Smarty

kube-apiserver: exposes the Kubernetes API. It is the front-end for the Kubernetes control plane. It is designed to scale horizontally – that is, it scales by deploying more instances. etcd: is used as Kubernetes’ backing store. All cluster data is stored here. Always have a backup plan for etcd’s data for your Kubernetes cluster. kube-scheduler: watches newly created pods that have no node assigned, and selects a node for them to run on. kube-controller-manager: runs controllers, which are the background threads that handle routine tasks in the cluster. Logically, each controller is a separate process, but to reduce complexity, they are all compiled into a single binary and run in a single process. kubelet: is the primary node agent. It watches for pods that have been assigned to its node (either by apiserver or via local configuration file) kube-proxy: enables the Kubernetes service abstraction by maintaining network rules on the host and performing connection forwarding. keepalived cluster config a virtual IP address (192.168.20.10), this virtual IP address point to k8s-master01, k8s-master02, k8s-master03. nginx service as the load balancer of k8s-master01, k8s-master02, k8s-master03's apiserver. The other nodes kubernetes services connect the keepalived virtual ip address (192.168.20.10) and nginx exposed port (16443) to communicate with the master cluster's apiservers.

DeepFence - Identify vulnerabilities in running containers, images, hosts and repositories

  •    Go

Deepfence ThreatMapper helps you to monitor and secure your running applications, in Cloud, Kubernetes, Docker, and Fargate Serverless. ThreatMapper scans your platforms and identifies pods, containers, applications, and infrastructure. Use ThreatMapper to discover the topology of your applications and attack surface. It obtains manifests of dependencies from running pods and containers, serverless apps, applications, and operating system. ThreatMapper matches these against vulnerability feeds to identify vulnerable components.

trigger - Trigger is a robust network automation toolkit written in Python that was designed for interfacing with network devices

  •    Python

Trigger is a robust network automation toolkit written in Python that was designed for interfacing with network devices and managing network configuration and security policy. It increases the speed and efficiency of managing large-scale networks while reducing the risk of human error. Started by the AOL Network Security team in 2006, Trigger was originally designed for security policy management on firewalls, routers, and switches. It has since been expanded to be a full-featured network automation toolkit.

felix - Project Calico's per-host agent Felix, responsible for programming routes and security policy

  •    Go

This repository contains the source code for Project Calico's per-host daemon, Felix. The best place to ask a question or get help from the community is the calico-users #slack. We also have an IRC channel.

cf-for-k8s - The open source deployment manifest for Cloud Foundry on Kubernetes

  •    Shell

Cloud Foundry For Kubernetes (cf-for-k8s) blends the popular CF developer API with Kubernetes, Istio, and other open source technologies. The project aims to improve developer productivity for organizations using Kubernetes. cf-for-k8s can be installed atop any conformant environment in minutes. If you're new to Kubernetes, we recommend this Getting Started Guide, which walks you though deploying cf-for-k8s on your machine using a local kind (Kubernetes In Docker) cluster. The guide configures your cf-for-k8s deployment as a developer-edition that runs on your laptop and can handle approximately 10 small applications.

guide - Kubernetes clusters for the hobbyist.

  •    

The tinkerers of today are the leaders of tomorrow. This guide answers the question of how to setup and operate a fully functional, secure Kubernetes cluster on a cloud provider such as Hetzner Cloud, DigitalOcean or Scaleway. It explains how to overcome the lack of external ingress controllers, fully isolated secure private networking and persistent distributed block storage.

ManageIQ - Discover, Optimize, and Control your Hybrid IT

  •    Ruby

ManageIQ is an open-source Management Platform that delivers the insight, control, and automation that enterprises need to address the challenges of managing hybrid IT environments.

k8s-deployment-strategies - Kubernetes deployment strategies explained

  •    Go

In Kubernetes there is few different way to release an application, you have to carefully choose the right strategy to make your infrastructure resilient. These examples were created and tested on Minikube running with Kubernetes v1.10.0.

kube-bench - The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices

  •    Go

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

kube-linter - KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices

  •    Go

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.

eks-distro - Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters

  •    Shell

Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters. With EKS-D, you can rely on the same versions of Kubernetes and its dependencies deployed by Amazon EKS. This includes the latest upstream updates, as well as extended security patching support. EKS-D follows the same Kubernetes version release cycle as Amazon EKS, and we provide the bits here. EKS-D offers the same software that has enabled tens of thousands of Kubernetes clusters on Amazon EKS. This GitHub repository has everything required to build the components that make up the EKS Distro from source.






We have large collection of open source products. Follow the tags from Tag Cloud >>


Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.