Kubernetes-native security tool kit.
Table of Contents
Introduction
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a kubectl
-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.
You can read more about the motivations and use cases here and join our discussions here.
Installation
This guide shows how to install the Starboard CLI from source,
or from pre-built binary releases.
From the Binary Releases
Every release of Starboard provides binary releases for a variety of operating systems. These
binary versions can be manually downloaded and installed.
- Download your desired version
- Unpack it (
tar -zxvf starboard_darwin_x86_64.tar.gz
)
- Find the
starboard
binary in the unpacked directory, and move it to its desired destination
(mv starboard_darwin_x86_64/starboard /usr/local/bin/starboard
)
From there, you should be able to run Starboard CLI commands: starboard help
kubectl plugin
The Starboard CLI is compatible with kubectl and is intended as kubectl plugin,
but it's perfectly fine to run it as a stand-alone executable. If you rename the starboard
executable to
kubectl-starboard
and if it's in your path, you can invoke it using kubectl starboard
.
After following the Krew installation documentation, you can install starboard with the
Krew plugins manager:
$ kubectl krew install starboard
$ kubectl starboard help
From Source (Linux, macOS)
Building from source is slightly more work, but is the best way to go if you want to test the latest (pre-release)
version of Starboard.
You must have a working Go environment.
$ git clone git@github.com:aquasecurity/starboard.git
$ cd starboard
$ make
If required, it will fetch the dependencies and cache them. It will then compile starboard
and place it in
bin/starboard
.
Getting Started
The easiest way to get started with Starboard is to use Starboard CLI, which allows scanning Kubernetes
workloads deployed in your cluster.
To begin with, execute the following one-time setup command:
$ starboard init
The init
subcommand creates the starboard
namespace, in which Starboard executes Kubernetes Jobs to perform
scans. It also sends custom security resources definitions to the Kubernetes API:
$ kubectl api-resources --api-group aquasecurity.github.io
NAME SHORTNAMES APIGROUP NAMESPACED KIND
ciskubebenchreports kubebench aquasecurity.github.io false CISKubeBenchReport
configauditreports configaudit aquasecurity.github.io true ConfigAuditReport
kubehunterreports kubehunter aquasecurity.github.io false KubeHunterReport
vulnerabilities vulns,vuln aquasecurity.github.io true Vulnerability
There's also a starboard cleanup
subcommand, which can be used to remove all resources created by Starboard.
As an example let's run an old version of nginx
that we know has vulnerabilities. Create an nginx
Deployment in the
dev
namespace:
$ kubectl create deployment nginx --image nginx:1.16 --namespace dev
Run the scanner to find the vulnerabilities:
$ starboard find vulnerabilities deployment/nginx --namespace dev
Behind the scenes, this uses Trivy to identify vulnerabilities in the container images associated with the specified deployment. Once this has been done, you can retrieve the latest vulnerability reports for this workload:
$ starboard get vulnerabilities deployment/nginx \
--namespace dev \
--output yaml
Starboard relies on labels and label selectors to associate vulnerability reports with the specified Deployment.
For a Deployment with N container images Starboard creates N instances of vulnerabilities.aquasecurity.github.io
resources. In addition, each instance has the starboard.container.name
label to associate it with a particular
container's image. This means that the same data retrieved by the starboard get vulnerabilities
subcommand can be
fetched with the standard kubectl get
command:
$ kubectl get vulnerabilities \
--selector starboard.resource.kind=Deployment,starboard.resource.name=nginx \
--namespace dev \
--output yaml
In this example, the nginx
deployment has a single container called nginx
, hence only one instance of the
vulnerabilities.aquasecurity.github.io
resource is created with the label starboard.container.name=nginx
.
To read more about custom resources and label selectors check Custom Security Resources Specification.
The Starboard Octant plugin displays the same vulnerability reports in Octant's UI.
Check the plugin's repository for installation instructions.
Next Steps
Let's take the same nginx
Deployment and audit its Kubernetes configuration. As you remember we've created it with
the kubectl create deployment
command which applies the default settings to the deployment descriptors. However, we
also know that in Kubernetes the defaults are usually the least secure.
Run the scanner to audit the configuration using Polaris:
$ starboard polaris
Note that currently the polaris
subcommand scans workloads in all namespaces. However, once we resolve
issue #29 it will be possible to scan just a single deployment with
starboard polaris deployment/nginx --namespace dev
.
Retrieve the configuration audit report:
$ starboard get configaudit deployment/nginx \
--namespace dev \
--output yaml
or
$ kubectl get configaudit \
--selector starboard.resource.kind=Deployment,starboard.resource.name=nginx \
--namespace dev \
--output yaml
Similar to vulnerabilities the Starboard Octant plugin can visualize config audit reports. What's more important,
Starboard and Octant provide a single pane view with visibility into potentially dangerous and exploitable
vulnerabilities as well as configuration issues that might affect stability, reliability, and scalability of the
nginx
Deployment.
To learn more about the available Starboard commands and scanners, such as kube-bench or
kube-hunter, use starboard help
.
Custom Security Resources Definitions
This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code
generated by Kubernetes code generators to write such custom resources in a natural way.
See Custom Security Resources Specification for the detailed explanation of custom resources
used by Starboard and their lifecycle.
Starboard CLI
Starbord CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure Pod
specs, in Kubernetes workloads. By default, the risk assessment reports are stored as
custom security resources.
To learn more about the available Starboard CLI commands, run starboard help
or type a command followed by the
-h
flag:
$ starboard kube-hunter -h
Troubleshooting
"starboard" cannot be opened because the developer cannot be verified. (macOS)
Since Starboard CLI is not registered with Apple by an identified developer, if you try to run it for the first time
you might get a warning dialog. This doesn't mean that something is wrong with the release binary, rather macOS can't
check whether the binary has been modified or broken since it was released.
To override your security settings and use the Starboard CLI anyway, follow these steps:
-
In the Finder on your Mac, locate the starboard
binary.
-
Control-click the binary icon, then choose Open from the shortcut menu.
-
Click Open.
The starboard
is saved as an exception to your security settings, and you can use it just as you can any registered
app.
You can also grant an exception for a blocked Starboard release binary by clicking the Allow Anyway button in the
General pane of Security & Privacy preferences. This button is available for about an hour after you try to run the
Starboard CLI command.
To open this pane on your Mac, choose Apple menu > System Preferences, click Security & Privacy, then click General.
Contributing
At this early stage we would love your feedback on the overall concept of Starboard. Over time we'd love to see
contributions integrating different security tools so that users can access security information in standard,
Kubernetes-native ways.
See our hacking guide for getting your development environment setup.
See our roadmap for tentative features in a 1.0 release.
License
This repository is available under the Apache License 2.0.