Container & Kubernetes Security Tools

Container Attack Surface Assessment & Breakout Tools

Useful tools to run inside a container to assess the sandbox that’s in use, and exploit some common breakout issues.

• amicontained - will show you information about the container runtime and rights you have
• ConMachi - Pentester focused container attack surface assessment tool
• deepce - Docker Enumeration, Escalation of Privileges and Container Escapes
• botb - Container breakout assessment tool. Can automatically exploit common issues like the Docker socket mount
• keyctl-unmask - Tool that specifically focuses on grabbing kernel keyring entries from containers that allow the keyctl syscall

Container Vulnerability Scanning Tools

• Trivy - Vulnerability and IaC scanner
• Grype - Container vulnerability scanner
• clair - Container vulnerability scanner

IaC Scanning Tools that cover container formats

• Trivy - Vulnerability and IaC scanner
• Checkov - IaC scanner
• KICS - IaC scanner

Docker Security Tools

• docker bench - Docker CIS Benchmark assessment tool
• Dockle - Container Image Linter

Container Runtime Security Tools

• Tracee. Container runtime security tooling
• Falco. Container runtime security tooling
• Kubearmor. Container runtime security enforcement tool

Container Registry Tools

• reg - Tool for interacting with Container registries
• regclient - Another tool for interacting with container registries
• go-pillage-registries - Tool to search the manifests and configuration for images in a registry for potentially sensitive information

Container Orchestration Tools

RBAC Assessment Tools

• kubectl-who-can - Tool that lets you ask “who can” do things in RBAC, e.g. who can get secrets
• rakkess - Shows the RBAC permissions available to a user as a list
• rback - tool for graphical representation of RBAC permissions in a kubernetes cluster
• rbac-tool - RBAC Tool for Kubernetes
• kubiScan - Tool to scan Kubernetes clusters for risky permissions
• krane - Kubernetes RBAC static analysis & visualisation tool

Kubernetes Security Auditing Tools

• kube-bench - Tool to assess compliance with the CIS benchmark for various Kubernetes distributions
• kubescape - Kubernetes security assessment tool
• kubeaudit - Kubernetes security assessment tool focusing on workload security
• kubesec - Kubernetes security assessment tool focusing on workload security
• kubescore - Kubernetes security and reliability assessment tool focusing on workload security.

Kubernetes Penetration Testing Tools

• kube-hunter - Tool to test and exploit standard Kubernetes Security Vulnerabilities
• kubestrike - Security auditing tool for Kubernetes looks at Authenticated and unauthenticated scanning
• peirates - Kubernetes container breakout tool
• kdigger - Kubernetes breakout/discovery tool

Kubernetes Post-Exploitation Tools

• kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments

Kubelet Tools

• kubeletctl - This is a good tool to automate the process of assessing a kubelet instance. If the instance is vulnerable it can also carry out some exploit tasks

etcd Tools

• auger - Tool for decoding information pulled directly from the etcd database

Security Observability Tools

• ThreatMapper. Cloud + Container Security observability

Training Tools

If you’re looking to practice with some of the tools here, in a safe environment, there are projects to help with that.

• Kube Security Lab - Basic set of Kubernetes security scenarios implemented in Ansible with KinD
• Kubernetes Simulator - AWS based Kubernetes cluster environment with different vulnerability scenarios
• Kubernetes Goat - Focuses on vulnerable deployments on top of an existing cluster. Also available on line with Katacoda