MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found. The same Docker container then launches a web UI to view and navigate the results on localhost:8000.
View a live demo of the web UI here.
- Who is MKIT for?
- What does it check?
- What is it doing?
- Viewing Results
- Quick Start
- Building Locally
- Development
MKIT provides security-minded Google Kubernetes Engine (GKE) cluster administrators with a quick way to assess several common misconfigurations in their clusters and workloads.
MKIT makes use of Chef Inspec-formatted profiles, and the GKE controls are published at the locations below:
When running make with various parameters, the MKIT tool is leveraging your user credentials to query the GCP APIs for the specific cluster and validating its configuration. It then connects to the cluster directly via the Kubernetes API server to validate several configuration items inside the cluster. Finally, it combines those results into a format viewable by the mkit-ui launched inside the mkit container listening on http://localhost:8000 for viewing.
All results are stored inside the container for the life of that MKIT run, and they are not uploaded or shared in any way.
The MKIT web UI (http://localhost:8000) shows all of the results on a single page. Failed checks appear first, followed by passed checks. Clicking view all will show all of the underlying resources impacted by the checks and whether they passed or failed.
-
Clone this repository to your Linux / macOS / WSL2 system.
-
See the section on building the image manually, if desired.
-
Ensure your identity has the following permissions:
- An IAM Role with
container.clusters.get,container.clusters.list, andcontainer.clusters.getCredentials. For example:Owner-roles/ownerEditor-roles/editorKubernetes Engine Admin-roles/container.admin
- Or, a custom IAM Role with
container.clusters.get,container.clusters.list,container.clusters.getCredentials, and an in-cluster RBACClusterRoleBindingof the built-incluster-adminorviewClusterRoles.
- An IAM Role with
-
Authenticate with your Google Cloud credentials
gcloud auth application-default login -
Run the following command (be sure to specify project-id and not project-name):
make run-gke project_id=my-project-id location=us-central1 clustername=my-gke-cluster-nameRunning in darkbitio/mkit:latest: /home/node/audit/gke.sh Generating results...done. Fetching cluster endpoint and auth data. kubeconfig entry generated for my-gke-cluster. Generating results...done. Visit http://localhost:8000 to view the results yarn run v1.22.0 node app.js MKIT Running - browse to http://localhost:8000
-
Visit http://localhost:8000 to view the results of the scan.
If you prefer to build the Docker images locally before running, the Dockerfile is in this repo.
- Clone this repo
- Modify the Makefile to name the image as desired
- Run
make buildto build the container from scratch
We welcome any contributions from users in the community.
- Fork the desired profile repository
- Modify the release tag and release URL to point to your new repository/release in the
Dockerfile - Follow the steps in the previous section to build a custom container using your new profile