Introducing MKIT, a free, open-source tool that provides security-conscious Kubernetes cluster administrators a quick and easy way to assess several common misconfigurations of the cluster itself and the workloads running inside.

Background

During our assessment engagements of Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine Kubernetes clusters, we tend to find a common set of misconfigurations that can serve to leave organizations open to unnecessary risk or prevent them from detecting and responding to security incidents. We built MKIT as a self-contained, self-assessment tool to help organizations identify some of these common issues and give guidance on how to address them.

Usage

MKIT was built entirely using open-source tools and libraries, and it is packaged and run as a single container image meant to be run from an administrator’s workstation. It first queries the cloud provider APIs to understand the configuration details of the AKS, EKS, or GKE cluster. Next, it connects directly to the cluster’s Kubernetes API to validate several in-cluster resource related issues. Here’s an example run against a GKE cluster:

$ make run-gke project_id=my-gke-project location=us-central1 clustername=my-gke-cluster
Generating results...done.
kubeconfig entry generated for my-gke-cluster.
Generating results...done.

MKIT Running - browse to http://localhost:8000

Once the scan completes (30-90 seconds), the container launches a local web UI to navigate the results:

Clicking on an individual finding shows the details of the affected resources and additional information on the risk, level of effort to remediate, what the misconfiguration means to your security posture, details for performing remediation and validation, and references for more background information or provider-specific documentation.

Try It

To get started, visit the github repository and follow the quick-start instructions. We’d love to hear your feedback.