Vesta is a practical and convenient mirror scan and Docker, Kubernetes baseline security check tool. Dedicated to checking the occurrence of various potential security issues caused by misconfiguration of Docker or Kubernetes.

Vesta v1.0.2 updates are as follows:

new function

  • Add cilium version vulnerability detection
  • Increase the detection of kubelet read-only-port parameters and incorrect use of kubectl proxy
  • Increase the detection of etcd security configuration
  • Increase the detection of RoleBinding security configuration
  • Mirror scanning adds go binary detection

Improve

  • Optimize the method of Layers integration to speed up image scanning

The current list of Kubernetes security check configurations supported by vesta is

Supported Check Item Description Severity
PrivilegeAllowed Dangerous Privileged Mode critical
Capabilities Dangerous capabilities are set critical
PV and PVC PV is mounted to sensitive directory and status is active critical/medium
RBAC Dangerous configuration of K8s permissions high/medium
Kubernetes-dashboard an examination -enable-skip-loginAnd dashboard account permissions critical/high/low
Kernel version (k8s versions is less than v1.24) There is an escape vulnerability in the current kernel version critical
Docker Server version (k8s versions is less than v1.24) There is a vulnerability in the version of Docker Server critical/high/medium/low
Kubernetes certification expiration The certificate expiration time is less than 30 days medium
ConfigMap and Secret check Whether there is a weak password in ConfigMap or Secret high/medium
Auto Mount Service Account Token Pod is mounted by default /var/run/secrets/kubernetes.io/serviceaccount/token. low
NoResourceLimits Unlimited usage of resources such as CPU, Memory, Storage low
Job and Cronjob Job or CronJob does not set seccomp or seLinux security policy low
Envoy admin Envoy admin is configured and listens0.0.0.0. high/medium
CVE-2022-29179 Check for the existence of CVE-2022-29179 high
Kubelet 10255 and Kubectl proxy 10255 port open or Kubectl proxy open high/medium/low
Etcd configuration Etcd security configuration check high/medium

At the same time, a general comparison is made for the mirror layer integration method, the article is as follows

Analysis of the mirror scanning method of vesta, trivy and clair

#Vesta #v102 #released #practical #cloudnative #baseline #security #check #tool #News Fast Delivery

Leave a Comment

Your email address will not be published. Required fields are marked *