{"id":16617,"date":"2019-07-29T08:23:46","date_gmt":"2019-07-29T06:23:46","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=16617"},"modified":"2025-01-08T08:24:55","modified_gmt":"2025-01-08T07:24:55","slug":"kubernetes-security-tools","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/","title":{"rendered":"Unraveling Kubernetes Security Tools"},"content":{"rendered":"<p>When securing <a href=\"https:\/\/www.inovex.de\/de\/leistungen\/cloud\/kubernetes\/\" target=\"_blank\" rel=\"noopener\">K8s<\/a> based environments many different issues arise\u2014from checking the actual cluster configuration to configuring K8s features like Network Policies, Pod Security Policies, Namespaces and RBAC up to the security of your images on application level. And there are even more tools that try to tackle these issues. Don\u2019t waste your time searching and check out these open source Kubernetes Security Tools instead.<!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Cluster-Configuration\" >Cluster Configuration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Image-Security\" >Image Security<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Dockerfile-Policy\" >Dockerfile Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Vulnerability-Scanning\" >Vulnerability Scanning<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Image-Signing\" >Image Signing<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Resource-Validation\" >Resource Validation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Network-Policy-Validation\" >Network Policy Validation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#RBAC-Principle-of-Least-Privilege\" >RBAC &amp; Principle of Least Privilege<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Live-Auditing-Pentesting\" >Live Auditing &amp; Pentesting<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Cluster-Visualization\" >Cluster Visualization<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Intrusion-Detection\" >Intrusion Detection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#Read-on\" >Read on<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Cluster-Configuration\"><\/span>Cluster Configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Chances are you\u2019ve set up your cluster successfully and have Kubernetes running. How can you make sure that you don\u2019t expose low hanging fruit by accidentally choosing clumsy configuration options for your kube-apiserver, etcd, kubelets, \u2026 ?<\/p>\n<p>The Center for Internet Security (CIS) provides benchmarks that are \u201ccontinuously refined and verified by a volunteer, global community of experienced IT professionals\u201c and is considered \u201c<a href=\"https:\/\/www.cisecurity.org\/about-us\/\" target=\"_blank\" rel=\"noopener\">the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks<\/a>\u201c. The <a href=\"https:\/\/www.cisecurity.org\/benchmark\/kubernetes\/\" target=\"_blank\" rel=\"noopener\">Kubernetes CIS Benchmark<\/a> provides two levels of security. Note that you shouldn\u2019t take on every guideline in this benchmark unaltered, especially level two may negatively inhibit the utility or performance.<\/p>\n<p><a href=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/automate-all-the-things.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-16670 size-full aligncenter\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/automate-all-the-things.jpg\" alt=\"Automate all the things meme\" width=\"500\" height=\"355\" \/><\/a><\/p>\n<p>Because <em>Automate All The Things<\/em> isn\u2019t just a meme around DevOps Engineers, the K8s benchmark is implemented as an <a href=\"https:\/\/github.com\/dev-sec\/cis-kubernetes-benchmark\" target=\"_blank\" rel=\"noopener\">InSpec Profile<\/a> by the <a href=\"https:\/\/dev-sec.io\/\" target=\"_blank\" rel=\"noopener\">DevSec Project<\/a>. In case you\u2019re not familiar with <a href=\"https:\/\/www.inspec.io\/\" target=\"_blank\" rel=\"noopener\">InSpec<\/a>, it\u2019s a framework for turning compliance and security requirements into declarative code.<\/p>\n<p>Running the Kubernetes Benchmark Profile from your local machine (provided you\u2019ve installed <a href=\"https:\/\/www.inspec.io\/\" target=\"_blank\" rel=\"noopener\">InSpec<\/a>):<\/p>\n<ol>\n<li>Clone the benchmark profile on your local machine:\n<pre class=\"lang:sh decode:true\">$ git clone https:\/\/github.com\/dev-sec\/cis-kubernetes-benchmark<\/pre>\n<\/li>\n<li>Edit attributes in inspec.yml e.g. CIS level<\/li>\n<li>Run master-related controls against master node:\n<pre class=\"lang:sh decode:true\">$ inspec exec cis-kubernetes-benchmark\/ --controls '\/cis-kubernetes-benchmark-1\\.\\d\\.\\d\/' -t ssh:\/\/&lt;user&gt;@&lt;master-node&gt; -i path\/to\/ssh-key<\/pre>\n<\/li>\n<li>Run worker-related controls against worker node (master node with public IP works as bastion host in this example):\n<pre class=\"lang:sh decode:true\">$ inspec exec cis-kubernetes-benchmark\/ --controls '\/cis-kubernetes-benchmark-2\\.\\d\\.\\d\/' -b ssh --bastion-host=&lt;master-node&gt; --bastion-user=&lt;user&gt; --host=&lt;worker-node&gt; --user=&lt;user&gt; -i path\/to\/ssh-key<\/pre>\n<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Image-Security\"><\/span>Image Security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Dockerfile-Policy\"><\/span>Dockerfile Policy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Image Security begins with your Dockerfiles. Use <a href=\"https:\/\/github.com\/hadolint\/hadolint\" target=\"_blank\" rel=\"noopener\">hadolint<\/a> to build Docker images that comply with best practices for writing Dockerfiles by piping your Dockerfile to the hadolint container:<\/p>\n<pre class=\"lang:sh decode:true\">$ docker run --rm -i hadolint\/hadolint &lt; Dockerfile<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Vulnerability-Scanning\"><\/span>Vulnerability Scanning<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Scanning your images for Common Vulnerabilities and Exposures (CVEs) should be a mandatory step in secure pipelines. Vulnerability Scanners collect the operating system package information of your image and compare it to corresponding package vulnerability databases like the <a href=\"https:\/\/nvd.nist.gov\/\" target=\"_blank\" rel=\"noopener\">NVD<\/a> or databases specific to a particular operating system or application package system.<\/p>\n<p>Currently <a href=\"https:\/\/github.com\/coreos\/clair\" target=\"_blank\" rel=\"noopener\">Clair<\/a> from CoreOSs, <a href=\"https:\/\/github.com\/anchore\/anchore-engine\" target=\"_blank\" rel=\"noopener\">Anchore Engine<\/a> and <a href=\"https:\/\/github.com\/aquasecurity\/microscanner\" target=\"_blank\" rel=\"noopener\">MicroScanner<\/a> from Aqua Security seem to be the most promising tools. You can find a comparison of the tools and scanning results here.<\/p>\n<p>MicroScanner is probably the easiest way to integrate CVE scanning in your pipeline. We add these three lines to our Dockerfiles and images will be scanned during build:<\/p>\n<pre class=\"lang:sh decode:true\">ADD https:\/\/get.aquasec.com\/microscanner \/\r\n\r\nRUN chmod +x \/microscanner\r\n\r\nRUN \/microscanner<\/pre>\n<p>If high severity vulnerabilities are found, this will fail the image build. Simple as that.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Image-Signing\"><\/span>Image Signing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Signing container images you can be sure that images are coming from a trusted source, are not tampered with and are up to date. You\u2019re probably familiar with <a href=\"https:\/\/docs.docker.com\/engine\/security\/trust\/content_trust\/\">Docker Content Trust<\/a> which integrates <a href=\"https:\/\/theupdateframework.github.io\/\" target=\"_blank\" rel=\"noopener\">The Update Framework<\/a> into Docker using <a href=\"https:\/\/github.com\/theupdateframework\/notary\" target=\"_blank\" rel=\"noopener\">Notary<\/a>. But there\u2019s also an interesting K8s-specific project working on top of these technologies.<\/p>\n<p><a href=\"https:\/\/github.com\/ibm\/portieris\">Portieris<\/a> is a Kubernetes Admission Controller for enforcing Content Trust, meaning we can enforce that only trusted images will be deployed in our cluster.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Resource-Validation\"><\/span>Resource Validation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Prior to actually deploying secure images, we should check the manifest files of K8s resources we\u2019re going to create. The <em>manifest mode<\/em> of <a href=\"https:\/\/github.com\/Shopify\/kubeaudit\" target=\"_blank\" rel=\"noopener\">kubeaudit<\/a> allows auditing our manifest files before applying to the cluster by simply hitting:<\/p>\n<pre class=\"lang:sh decode:true\">$ kubeaudit -f \/path\/to\/manifest.yml<\/pre>\n<p>This will apply kubeaudit\u2019s default checks like auditing Security Contexts, Container Image Tags, Service Accounts, Network Policies and Resource Limits.<\/p>\n<p>kubeaudit even comes with a handy auto-fix feature. Applying all the checks might end up being too restrictive for your application, but don\u2019t worry, configuring the audit is possible of course.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Network-Policy-Validation\"><\/span>Network Policy Validation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes Network Policies control the in- and outbound traffic for a group of pods on TCP\/IP level and are pretty straightforward to define.<\/p>\n<p>However, as stated in <a href=\"https:\/\/www.inovex.de\/blog\/test-kubernetes-network-policies\/\" target=\"_blank\" rel=\"noopener\">this great article<\/a>\u00a0by my colleague Maximilian, involving network plugins that provide Network Policy support like Calico or Weave Net may add obscure complexity. Network Policy Validation Tools can remedy this problem by testing that defined policies are really in effect and allow only traffic they are supposed to. There are two noteworthy nmap-based tools out there:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/controlplaneio\/netassert\" target=\"_blank\" rel=\"noopener\">netassert<\/a> creates the test cases from a YAML file containing a list of hosts\/pods to test from as well as the hosts\/pods and ports that should be able to be reached.<\/li>\n<li><a href=\"https:\/\/github.com\/inovex\/illuminatio\" target=\"_blank\" rel=\"noopener\">illuminatio<\/a> takes a more automated approach by scanning your Kubernetes cluster for existing Network Policies and creating test cases accordingly on its own.<\/li>\n<\/ul>\n<p>BTW:\u00a0<a href=\"https:\/\/github.com\/inovex\/illuminatio\" target=\"_blank\" rel=\"noopener\">illuminatio<\/a> is developed by inovex engineers ?<\/p>\n<h2><span class=\"ez-toc-section\" id=\"RBAC-Principle-of-Least-Privilege\"><\/span>RBAC &amp; Principle of Least Privilege<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Role-Based Access Control (RBAC) should be the preferred authentication mechanism, but can be daunting sometimes.<\/p>\n<p><a href=\"https:\/\/github.com\/liggitt\/audit2rbac\" target=\"_blank\" rel=\"noopener\">audit2rbac<\/a> can help you following the principle of least privilege, by making sure, users and services only have the access they should. This tool takes a Kubernetes audit log containing all the API requests you expect your user \/ service to perform and the username \/ serviceaccount as input and generates RBAC Role and RoleBinding objects. Of course you have to insistently create all API requests needed, fewer than least privileges aren\u2019t wise either. But the tool really seems to do its job.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Live-Auditing-Pentesting\"><\/span>Live Auditing &amp; Pentesting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Remember <a href=\"https:\/\/github.com\/Shopify\/kubeaudit\" target=\"_blank\" rel=\"noopener\">kubeaudit<\/a>? It can not only audit resource manifest files before applying, but also audit a live K8s environment after deployment.<\/p>\n<p>Yet there is more, especially for getting an attackers-eye-view of your Kubernetes setup. <a href=\"https:\/\/github.com\/aquasecurity\/kube-hunter\" target=\"_blank\" rel=\"noopener\">kube-hunter<\/a> is a set of Python scripts that hunt for security weaknesses and, in <em>Active Hunting<\/em> mode, exploit detected vulnerabilities in order to find further ones. It\u2019s quite a script kiddie-like experience simply executing these scripts against the public IP or domain name of your cluster, but a meaningful one.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cluster-Visualization\"><\/span>Cluster Visualization<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Maintaining an overview of what\u2019s running in your cluster is essential, not only for security reasons. Deployed on each cluster node, <a href=\"https:\/\/github.com\/weaveworks\/scope\" target=\"_blank\" rel=\"noopener\">Weave Scope<\/a> can visualize the topology of our cluster on application as well as infrastructure level. It\u2019s definitely worth having a look at the docs to discover all the features Weave Scope offers.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Intrusion-Detection\"><\/span>Intrusion Detection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There is no such thing as <em>unhackable<\/em>, even after applying all the tools mentioned. How do we know if we\u2019ve been hacked ?<\/p>\n<p><a href=\"https:\/\/falco.org\/\" target=\"_blank\" rel=\"noopener\">Falco<\/a> is a CNCF project for intrusion detection and can alert us if suspicious activities take place. It does so by using two types of event sources, syscalls executed on the nodes of our cluster as well as requests to the kube-apiserver logged by <a href=\"https:\/\/kubernetes.io\/docs\/tasks\/debug-application-cluster\/audit\/\" target=\"_blank\" rel=\"noopener\">Kubernetes Auditing<\/a>. These event sources will subsequently be matched with our own rules defining how alerts should be handled. Falco provides a set of default rules, but customization with your own rules is also possible. Alerts can then be sent to Stdout, Syslog, Slack, Fluentd, \u2026 let your imaginations run wild.<\/p>\n<p><a href=\"https:\/\/falco.org\/docs\/getting-started\/installation\/\" target=\"_blank\" rel=\"noopener\">Getting Falco up and running as DaemonSet<\/a> on Kubernetes isn\u2019t that complicated, but remember to enable the audit logging feature of your kube-apiserver. There&#8217;s also a Helm Chart for Deployment, if this is your preferred way.<\/p>\n<p>Hopefully, this snapshot of open source tools around Kubernetes security comes in handy on your road to DevSecOps. But it\u2019s no more than a snapshot. Stay tuned! ?\u200d??<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Read-on\"><\/span>Read on<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you want to join in on the fun have a look at our <a href=\"https:\/\/www.inovex.de\/de\/karriere\/stellenangebote\/\" target=\"_blank\" rel=\"noopener\">job offerings:<\/a>\u00a0We&#8217;re looking for juniors, seniors as well as working students. Read more about our take on <a href=\"https:\/\/www.inovex.de\/en\/our-services\/devops\/\" target=\"_blank\" rel=\"noopener\">DevOps<\/a> in our portfolio.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When securing K8s based environments many different issues arise\u2014from checking the actual cluster configuration to configuring K8s features like Network Policies, Pod Security Policies, Namespaces and RBAC up to the security of your images on application level. And there are even more tools that try to tackle these issues. Don\u2019t waste your time searching and [&hellip;]<\/p>\n","protected":false},"author":120,"featured_media":16671,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[66,101],"service":[432,879],"coauthors":[{"id":120,"display_name":"Leon Becker","user_nicename":"lbecker"}],"class_list":["post-16617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-devops","tag-security","service-devops","service-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Unraveling Kubernetes Security Tools - inovex GmbH<\/title>\n<meta name=\"description\" content=\"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don&#039;t waste your time searching and checkout these open source Kubernetes Security Tools instead!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unraveling Kubernetes Security Tools - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don&#039;t waste your time searching and checkout these open source Kubernetes Security Tools instead!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-29T06:23:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-08T07:24:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Leon Becker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Leon Becker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"6\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Leon Becker\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/\"},\"author\":{\"name\":\"Leon Becker\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/69b3b1dc8ebd2381944b5cae00a66c93\"},\"headline\":\"Unraveling Kubernetes Security Tools\",\"datePublished\":\"2019-07-29T06:23:46+00:00\",\"dateModified\":\"2025-01-08T07:24:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/\"},\"wordCount\":1251,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/kubernetes-security-tools.png\",\"keywords\":[\"DevOps\",\"Security\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/\",\"name\":\"Unraveling Kubernetes Security Tools - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/kubernetes-security-tools.png\",\"datePublished\":\"2019-07-29T06:23:46+00:00\",\"dateModified\":\"2025-01-08T07:24:55+00:00\",\"description\":\"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don't waste your time searching and checkout these open source Kubernetes Security Tools instead!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/kubernetes-security-tools.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/kubernetes-security-tools.png\",\"width\":1920,\"height\":1080,\"caption\":\"Kubernetes Security tools\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/kubernetes-security-tools\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unraveling Kubernetes Security Tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/69b3b1dc8ebd2381944b5cae00a66c93\",\"name\":\"Leon Becker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g2f4bb23d31fb24b2da555a957afdf390\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g\",\"caption\":\"Leon Becker\"},\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/lbecker\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unraveling Kubernetes Security Tools - inovex GmbH","description":"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don't waste your time searching and checkout these open source Kubernetes Security Tools instead!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/","og_locale":"de_DE","og_type":"article","og_title":"Unraveling Kubernetes Security Tools - inovex GmbH","og_description":"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don't waste your time searching and checkout these open source Kubernetes Security Tools instead!","og_url":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2019-07-29T06:23:46+00:00","article_modified_time":"2025-01-08T07:24:55+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png","type":"image\/png"}],"author":"Leon Becker","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Leon Becker","Gesch\u00e4tzte Lesezeit":"6\u00a0Minuten","Written by":"Leon Becker"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/"},"author":{"name":"Leon Becker","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/69b3b1dc8ebd2381944b5cae00a66c93"},"headline":"Unraveling Kubernetes Security Tools","datePublished":"2019-07-29T06:23:46+00:00","dateModified":"2025-01-08T07:24:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/"},"wordCount":1251,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png","keywords":["DevOps","Security"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/","url":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/","name":"Unraveling Kubernetes Security Tools - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png","datePublished":"2019-07-29T06:23:46+00:00","dateModified":"2025-01-08T07:24:55+00:00","description":"When securing K8s based environments, many different issues arise. And there are even more tools that try to tackle these issues. Don't waste your time searching and checkout these open source Kubernetes Security Tools instead!","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/07\/kubernetes-security-tools.png","width":1920,"height":1080,"caption":"Kubernetes Security tools"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/kubernetes-security-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Unraveling Kubernetes Security Tools"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/69b3b1dc8ebd2381944b5cae00a66c93","name":"Leon Becker","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g2f4bb23d31fb24b2da555a957afdf390","url":"https:\/\/secure.gravatar.com\/avatar\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/249fb9157e677065842a5db5acfb43e0d37d92624d9a9436648fe112411cbef2?s=96&d=retro&r=g","caption":"Leon Becker"},"url":"https:\/\/www.inovex.de\/de\/blog\/author\/lbecker\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/16617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/120"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=16617"}],"version-history":[{"count":4,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/16617\/revisions"}],"predecessor-version":[{"id":60323,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/16617\/revisions\/60323"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/16671"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=16617"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=16617"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=16617"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=16617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}