You’re likely wondering how are microservices orchestration services secured and what tools do exist to give us visibility. The biggest concern I see with many that have moved to cloud without proper strategies such as CAF and establishing Governance/Security as code prior to the leap, is visibility. How are my services actively exposed?
Aqua Security provides a variety of tools to help you in microservices, the tool I’ll be using is Kube-hunter.
https://github.com/aquasecurity/kube-hunter
If you running this in Azure or your terminal of choice you’re installation will be rather fast after the clone to set up I run the follow
kubectl create -f ./job.yaml
Let’s explore that job we created further you do this with using describe
kubectl describe job kube-hunter 
kubectl logs kube-hunter-xz9dm
If you wonder where the <pod> named kube-hunter came from I ran a previous command in the background to get pods remember “kubectl get pods -A”
A few things in this pop out “Read acces to pod’s service account token” in local to pod so that means for this specific pod that kube-hunter is able to capture the service account token the approach would have to be who can have reader access or needed for this? Start defining what is the exposure from tools like these are a good first step in understanding your present threats.
So how do we know things are running and where they are running in Kubernetes with this kube-hunter
kube-hunter --active --list --raw-hunter-names
This will break up to two types passive hunters/active hunters as this screenshot is showing the active hunters and what it’s looking for its important to dig into this to know your coverage.
Let’s run the job on our next namespace we have apart of the deployment “kube-system”
Here is the output after running
kubectl logs kube-hunter-hntsl -n kube-system
What if I don’t know what this output translates to from a security control perspective? Aqua Security has you covered with https://avd.aquasec.com
So what do we use these tools to do is find weakness of the kubernetes cluster and also make us aware of any findings such as anything can lead to exposure inadvertently.
For a open-source tool that Aqua provides this is a easy deployment and you can view how the yaml manifest works here is from the repo.
For my next post we will explore some other tools to increase your security coverage of your microservices!