Cloud Native Security Inspector (Project Narrows)
Cloud Native Security Inspector is an open source cloud native runtime security tool. It allows end users to assess
the security posture of Kubernetes clusters at runtime. This project will add dynamic scanning giving Security Auditors
greater awareness and control of running workloads.
Features
- View overall security posture of applications in runtime
- Policy-based scanning management
- Revise baseline policies as needed and prevent redeploying workloads sourced from vulnerable images
- Quarantine non-secure workloads
- Review and filter the assessment reports
- Event-driven K8s configuration security monitoring
- Open framework for any scanner and any report consumer
Architecture
Cloud Native Security Inspector consists of the following components:
- The Controller Manager: Helps to reconcile the Setting and InspectionPolicy CR, then provision the scanner workloads.
- The Portal: The UI developed by Narrows core team, by which you can do Setting/Policy management, review the reports and check the overall security postures.
- The Exporter: The exporter is a hub between the scanners and the report consumers. Any scanner can send a report to the exporter as long as it follows the protocol. The exporter is also easy to be extended to support more report consumers.
- The report consumers: The consumers are where to export the security report to. Currently the Exporter supports exporting reports to Opensearch and Elasticsearch. However, due to the license limitation, only OpenSearch is integrated with the Portal. Our Helm chart and deploy.sh file can install an opensearch for you.
With regards to scanners, currently we support 3 different kinds of scanners:
Harbor provides static analysis of vulnerabilities in images through the open source projects Trivy.
In CNSI, this capability is used to perform dynamic security application testing (DAST).
Kubebench scanner mainly cares about the underlying Kubernetes cluster.
It checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
The Risk scanner fetches the CVSS vectors
from the image vulnerability report, then reports scored-risks it observed in the vector.
Demo
Video Demo - Demo for Cloud Native Security Inspector features
Prerequisites
Deployment & Run
There are 2 options to deploy project Narrows if you would like to use the pre-built images from projects.registry.vmware.com
.
Option 1: Using Helm chart
Check this doc for details.
Option 2: Using our deploy.sh script
You need to clone the source code if you choose this option.
$ git clone https://github.com/vmware-tanzu/cloud-native-security-inspector.git
$ cd cloud-native-security-inspector
$ ./deploy.sh install
If you would like to build your customized image, you call follow below steps:
$ git clone https://github.com/vmware/cloud-native-security-inspector.git
Before building the images, please ensure you have installed and configured the golang SDK correctly. To install the golang SDK, please familiarize yourself with the Golang documentation.
Use the following commands to compile the source code and build the docker images, and deployed to your K8s cluster.
$ cd cloud-native-security-inspector
$ ./deploy.sh install --build-source
Verifying the deployment
You can use the following command to see if all the components have been started successfully in Kubernetes.
~ → kubectl get all -n cnsi-system
NAME READY STATUS RESTARTS AGE
pod/cloud-native-security-inspector-portal-7b4fb65c59-6nzmk 1/1 Running 0 17h
pod/cnsi-controller-manager-5586dcc798-znvqp 2/2 Running 37 (6m51s ago) 17h
pod/cnsi-exporter-69c786c9f-8frmk 1/1 Running 0 17h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cloud-native-security-inspector-portal-service NodePort 10.102.75.93 <none> 3800:30150/TCP 17h
service/cnsi-controller-manager-metrics-service ClusterIP 10.99.21.250 <none> 8443/TCP 17h
service/cnsi-exporter-service ClusterIP 10.104.26.251 <none> 6780/TCP 17h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cloud-native-security-inspector-portal 1/1 1 1 17h
deployment.apps/cnsi-controller-manager 1/1 1 1 17h
deployment.apps/cnsi-exporter 1/1 1 1 17h
NAME DESIRED CURRENT READY AGE
replicaset.apps/cloud-native-security-inspector-portal-7b4fb65c59 1 1 1 17h
replicaset.apps/cnsi-controller-manager-5586dcc798 1 1 1 17h
replicaset.apps/cnsi-exporter-69c786c9f 1 1 1 17h
Run
- Refer to the Tutorial for a quick guidance.
- Refer to the User Guide for more details on how to use Cloud Native Security Inspector.
Uninstalling
To uninstall Cloud Native Security Inspector, use the following command:
$ ./deploy.sh uninstall
For more details, please refer to the User Guide.
Email: narrows@vmware.com
License
Cloud Native Security Inspector is available under the Apache 2 license.