Vesta is a practical and convenient mirror scan and Docker, Kubernetes baseline security check tool. Dedicated to checking the occurrence of various potential security issues caused by misconfiguration of Docker or Kubernetes.
Vesta v1.0.2 updates are as follows:
new function
- Add cilium version vulnerability detection
- Increase the detection of kubelet read-only-port parameters and incorrect use of kubectl proxy
- Increase the detection of etcd security configuration
- Increase the detection of RoleBinding security configuration
- Mirror scanning adds go binary detection
Improve
- Optimize the method of Layers integration to speed up image scanning
The current list of Kubernetes security check configurations supported by vesta is
| Supported | Check Item | Description | Severity |
|---|---|---|---|
| ✔ | PrivilegeAllowed | Dangerous Privileged Mode | critical |
| ✔ | Capabilities | Dangerous capabilities are set | critical |
| ✔ | PV and PVC | PV is mounted to sensitive directory and status is active | critical/medium |
| ✔ | RBAC | Dangerous configuration of K8s permissions | high/medium |
| ✔ | Kubernetes-dashboard | an examination -enable-skip-loginAnd dashboard account permissions |
critical/high/low |
| ✔ | Kernel version (k8s versions is less than v1.24) | There is an escape vulnerability in the current kernel version | critical |
| ✔ | Docker Server version (k8s versions is less than v1.24) | There is a vulnerability in the version of Docker Server | critical/high/medium/low |
| ✔ | Kubernetes certification expiration | The certificate expiration time is less than 30 days | medium |
| ✔ | ConfigMap and Secret check | Whether there is a weak password in ConfigMap or Secret | high/medium |
| ✔ | Auto Mount Service Account Token | Pod is mounted by default /var/run/secrets/kubernetes.io/serviceaccount/token. |
low |
| ✔ | NoResourceLimits | Unlimited usage of resources such as CPU, Memory, Storage | low |
| ✔ | Job and Cronjob | Job or CronJob does not set seccomp or seLinux security policy | low |
| ✔ | Envoy admin | Envoy admin is configured and listens0.0.0.0. |
high/medium |
| ✔ | CVE-2022-29179 | Check for the existence of CVE-2022-29179 | high |
| ✔ | Kubelet 10255 and Kubectl proxy | 10255 port open or Kubectl proxy open | high/medium/low |
| ✔ | Etcd configuration | Etcd security configuration check | high/medium |
At the same time, a general comparison is made for the mirror layer integration method, the article is as follows
Analysis of the mirror scanning method of vesta, trivy and clair
#Vesta #v102 #released #practical #cloudnative #baseline #security #check #tool #News Fast Delivery