MKIT – Managed Kubernetes Inspection Tool

Quickly discover key security risks of your managed Kubernetes clusters and resources

MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. It runs entirely from a local Docker container and queries your cloud provider’s APIs and the Kubernetes API to determine if certain misconfigurations are found. The same Docker container then launches a web UI to view and navigate the results on localhost:8000.

Who is this for?

MKIT provides security-minded Kubernetes cluster administrators with a quick way to assess several common misconfigurations in their Kubernetes environment.

Which Managed Kubernetes providers are supported?

• Azure Kubernetes Service (AKS)
• Amazon Elastic Kubernetes Service (EKS)
• Google Kubernetes Engine (GKE)

Note: Authenticating to AKS-Engine clusters using Azure for AD is not yet supported. For now, ensure your kubeconfig entry is generated using az aks get-credentials.

What if I’m running Kubernetes, not on AKS, EKS, or GKE?

You can run the in-cluster Kubernetes checks by themselves. See the steps for targeting k8s instead of aks, eks, or gke.

What does MKIT check for?

MKIT makes use of Chef Inspec-formatted profiles, and they are located at the locations below:

• https://github.com/darkbitio/inspec-profile-aks
• https://github.com/darkbitio/inspec-profile-eks
• https://github.com/darkbitio/inspec-profile-gke
• https://github.com/darkbitio/inspec-profile-k8s

What does it do?

When running make with various parameters, the MKIT tool is leveraging your credentials to query the cloud provider’s APIs for the specific cluster and validating its configuration. It then connects to the cluster directly via the Kubernetes API server to validate several configuration items inside the cluster. Finally, it combines those results into a format viewable by the mkit-ui launched inside the mkit container listening on http://localhost:8000 for viewing.

Sensitive Data

All results are stored inside the container for the life of that MKIT run, and they are not uploaded or shared in any way.

Viewing Results

The MKIT web UI (http://localhost:8000) shows all of the results on a single page. Failed checks appear first, followed by passed checks. Clicking view all will show all of the underlying resources impacted by the checks and whether they passed or failed.

Install && Use

Copyright (c) 2020 Darkbit, LLC