README
¶
Kubernetes-native security toolkit. (Documentation)
Introduction
The Tunnel Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API. The Operator does this by watching Kubernetes for state changes and automatically triggering security scans in response. For example, a vulnerability scan is initiated when a new Pod is created.
This way, users can find and view the risks that relate to different resources in a Kubernetes-native way.
In-cluster Security Scans
The Tunnel Operator automatically generates and updates security reports. These reports are generated in response to new workload and other changes on a Kubernetes cluster, generating the following reports:
- Vulnerability Scans: Automated vulnerability scanning for Kubernetes workloads.
- ConfigAudit Scans: Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies.
- Exposed Secret Scans: Automated secret scans which find and detail the location of exposed Secrets within your cluster.
- RBAC scans: Role Based Access Control scans provide detailed information on the access rights of the different resources installed.
- K8s core component infra assessment scan Kubernetes infra core components (etcd,apiserver,scheduler,controller-manager and etc) setting and configuration.
- k8s outdated api validation - a configaudit check will validate if the resource api has been deprecated and planned for removal
- Compliance reports
- NSA, CISA Kubernetes Hardening Guidance v1.1 cybersecurity technical report is produced.
- CIS Kubernetes Benchmark v1.23 cybersecurity technical report is produced.
- Kubernetes pss-baseline, Pod Security Standards
- Kubernetes pss-restricted, Pod Security Standards
- SBOM (Software Bill of Materials genertations) for Kubernetes workloads.
Please star ⭐ the repo if you want us to continue developing and improving tunnel-operator! 😀
Usage
The official Documentation provides detailed installation, configuration, troubleshooting, and quick start guides.
You can install the Tunnel-operator Operator with Static YAML Manifests and follow the Getting Started guide to see how vulnerability and configuration audit reports are generated automatically.
Quick Start
The Tunnel Operator can be installed easily through the Helm Chart:
Add the Aqua chart repository:
helm repo add aqua https://khulnasoft.github.io/helm-charts/
helm repo update
Install the Helm Chart:
helm install tunnel-operator aqua/tunnel-operator \
--namespace tunnel-system \
--create-namespace \
--version 0.18.4
This will install the Trivy Helm Chart into the tunnel-system namespace and start triggering the scans.
Status
Although we are trying to keep new releases backward compatible with previous versions, this project is still incubating, and some APIs and Custom Resource Definitions may change.
Contributing
At this early stage we would love your feedback on the overall concept of Tunnel-Operator. Over time, we'd love to see contributions integrating different security tools so that users can access security information in standard, Kubernetes-native ways.
- See Contributing for information about setting up your development environment, and the contribution workflow that we expect.
- Please ensure that you are following our Code Of Conduct during any interaction with the Aqua projects and their community.
Tunnel-Operator is an Khulnasoft Security open source project.
Learn about our Open Source Work and Portfolio.
Join the community, and talk to us about any matter in GitHub Discussions or Slack.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
itest
|
|
|
helper
The helper package provides builders to instantiate Kubernetes objects used in integration tests.
|
The helper package provides builders to instantiate Kubernetes objects used in integration tests. |
|
matcher
The matcher package provides domain-specific Gomega matchers.
|
The matcher package provides domain-specific Gomega matchers. |
|
pkg
|
|
|
apis/khulnasoft/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
|
Package v1alpha1 is the v1alpha1 version of the API. |
|
configauditreport
Package configauditreport provides primitives for working with Kubernetes workload configuration checkers.
|
Package configauditreport provides primitives for working with Kubernetes workload configuration checkers. |
|
docker
Package docker provides primitives for working with Docker.
|
Package docker provides primitives for working with Docker. |
|
infraassessment
Package infraassessment provides primitives for working with Kubernetes workload rbac assessment checkers.
|
Package infraassessment provides primitives for working with Kubernetes workload rbac assessment checkers. |
|
kube
Package kube provides primitives for working with Kubernetes objects.
|
Package kube provides primitives for working with Kubernetes objects. |
|
operator
Package operator provides primitives for implementing Tunnel-Operator Operator.
|
Package operator provides primitives for implementing Tunnel-Operator Operator. |
|
plugins/tunnel
Package trivy provides primitives for working with Trivy.
|
Package trivy provides primitives for working with Trivy. |
|
rbacassessment
Package rbacassessment provides primitives for working with Kubernetes workload rbac assessment checkers.
|
Package rbacassessment provides primitives for working with Kubernetes workload rbac assessment checkers. |
|
tunneloperator
Package tunneloperator provides primitives for working with Tunnel-operator toolkit.
|
Package tunneloperator provides primitives for working with Tunnel-operator toolkit. |
|
vulnerabilityreport
Package vulnerabilityreport provides primitives for working with vulnerability scanners.
|
Package vulnerabilityreport provides primitives for working with vulnerability scanners. |