KusionStack
Integration: Integrate more Auditors
What would you like to be added?
Integrate more Auditors (now only KubeAudit is integrated), such as kube-score
Why is this needed?
In order to better ensure the security of user clusters and resources, it is necessary to integrate more auditors to enhance security and compliance capabilities.
@Cookiery Brother, amazing. This task is a little difficult, but because KubeAudit has been archived, it is necessary to find a new and healthy auditors project. Here is an issue #639 that may be of reference to you.
Thanks, which one to plug is better? kube-score: 2.9k stars, 40 contributors. poyeye: 5.5k stars, 62 contributiors.
I'll try poyeye first, is that okay?
If I don't upgrade go module, it will be very difficult for me to complete this task. Please remove my assignment.
The libraries used by karpor are too outdated. Even though I am using popeye v0.21.0, which is compatible with the Golang version, I still need to replace many libraries.
Thanks!
https://github.com/KusionStack/karpor/issues/814
@Cookiery Hi, please refer to our latest reply #814 , it should no longer block your process
@Cookiery Hi, I've collected more similar open-source projects recently for your reference
| Tool Name | Scan Scope | Main Focus | Key Features | Integration Capabilities | Customization Options | Report Formats |
| kube-score | Static | Reliability, Security | YAML and Helm Chart static analysis, provides improvement suggestions, Web UI, CI/CD integration | CI/CD pipelines, GitHub Action, Helm, Kustomize | Ignore checks via annotations, specify Kubernetes version | Human-readable, JSON, CI, SARIF |
| Popeye | Runtime | Cluster health, configuration | Scans running clusters, reports potential issues, resource allocation reports, Prometheus metrics, customizable linter | Prometheus, Grafana | Customizable linter, exclude specific resources or checks | Standard text, YAML, JSON, HTML, JUnit |
| kube-bench | Static/Runtime | CIS Compliance | Checks Kubernetes deployments against CIS Benchmark, YAML configuration tests | Trivy | Configure test items via YAML files | Standard text |
| kubeaudit | Static/Local/Runtime | Security | Audits Kubernetes cluster security controls, supports multiple audit modes, auto-fixes manifest files, configurable severity | Not specifically mentioned | Configurable auditors, specify configurations | Human-readable, JSON, SARIF |
| Kubescape | Static/Runtime | Security, Compliance | Risk analysis, security, compliance, and misconfiguration scanning, supports multiple frameworks, IDE and CI/CD integration, CLI and Operator | IDE (Lens, VS Code), CI/CD (GitHub, GitLab) | Custom policies | Console, JSON, JUnit XML, SARIF, HTML, PDF |
| Trivy | Static/Runtime | Vulnerabilities, configuration, secrets | Scans container images, file systems, Git repositories, Kubernetes clusters for vulnerabilities, generates SBOM | GitHub Actions, Kubernetes Operator, VS Code plugin | Custom scanners, policies | Multiple formats, including table and JSON |
| Falco | Runtime | Runtime security | Real-time system call monitoring, detects abnormal behavior, customizable rule engine, real-time alerts | SIEM, data lake systems | Custom rules | Standard output, integrable into other systems |
| KubeLinter | Static | Production readiness, security | YAML and Helm Chart static analysis, default and custom checks, provides fix suggestions | CI/CD pipelines, GitHub Action | Enable/disable checks, create custom checks | Standard output, supports various formats |
| Conftest | Static | Policy enforcement | Tests configuration data using Rego language, supports multiple configuration formats | CI/CD pipelines | Write custom policies in Rego | Standard output, JSON, TAP |
| Kubeval | Static | Configuration validation | Validates YAML/JSON files against Kubernetes OpenAPI specifications, supports multiple versions | CI/CD pipelines | Test using custom API schemas | Plain text, JSON, TAP |
| Polaris | Static/Runtime | Policy enforcement | Policy engine, validates and fixes resource configurations, built-in and custom policies (JSON Schema), supports multiple operation modes | Slack, Datadog, Jira (via Fairwinds Insights) | Create custom policies using JSON Schema | Dashboard, admission control webhook, command-line output |
| kube-hunter | Runtime | Security penetration testing | Actively probes Kubernetes cluster for security weaknesses, supports multiple scanning modes, provides vulnerability knowledge base | HTTP (configured via environment variables) | Custom scanning options | Standard output, JSON |
I'm going to look into these services this week and try to get access to two projects that cover all of them, prioritizing CNCF project and Golang project that has module.
Tools
CNCF
Stars
Community Support
Integration
Trivy
Incubating
25k
Excellent
Kubescape
Incubating
10.6k
Good
Falco
Graduated
7.7k
Excellent
kube-bench
No
7.3k
Moderate
Popeye
No
5.5k
Good
Polaris
No
3.2k
Moderate
Kube-linter
No
3.1k
Limited
kube-score
No
2.9k
Limited
Conftest
No
2.9k
Moderate
Kubeval
No
3.2k
None
-
kube-hunter
No
4.8k
None
-
First exclude kubeval and kube-hunter, which are no longer maintained (no commits in a year)
The Trivy / Kubescape / Falco are CNCF project that could be considered for intergating first. From the perspective of community activity, Popeye is also a viable option to consider.
When I try to plugging the Kubescape and Popeye, I need to update the k8s.io/* to v0.30.11 (go still 1.22.0 version), and too many versions appeared to be incompatible.
I'd suggest starting another PR to update go.mod first and then consider introducing new intergations.
Another thing is whether we need to consider introducing dependbot (Golang projects basically have it added)
Thanks!
@Cookiery I apologize for the late reply. I was busy some time ago, and I'm back now. As discussed in the group before, I will first submit a PR to upgrade the go version and enable dependBot, keeping in line with the community mainstream. These are all good suggestions. Give me some time, and I will reply to the progress in this issue.