Top 8 RBAC Tools Every Kubernetes Admin Should Know
Role-Based Access Control (RBAC) is important for managing permissions in Kubernetes environments, ensuring that users...
Dec 6, 2021
There were several security assessments and compliance frameworks in Kubescape before we released ARMOBest – NSA-CISA and MITRE. Naturally, people ask, why another one? Especially, if it’s not coming from a well-known source that some people may be required to comply with.
Some frameworks, like MITRE, are designed bottom-up, mainly focusing on the infrastructure. Others, like NSA-CISA, are designed top-down, paying more attention to the application side. Naturally, it leaves gaps in the coverage.
After developing several frameworks, we saw these gaps and realized that there is a need for additional controls. For example, all known frameworks mention “exec” into containers permission but do not mention “portforwarding”. Some frameworks require checking the origin and vulnerabilities of containers but do not require container “entry point” override check, which allows using legitimate containers for illegitimate purposes. One may argue that checking for RBAC role impersonation permission is part of the overall “least privilege” principle but providing a separate control for this not only finds the problems but also points to the precise place for their remediation.
The ARMOBest framework provides several verifications that are overlooked by other frameworks. It is designed by our experts with deep knowledge of Kubernetes, Linux, Containers, and Security in general, and looks at the problems that may cross-domain expertise boundaries.
ARMOBest checks for critical K8s vulnerabilities you should worry about.
We are monitoring the latest Kubernetes vulnerability reports and including them in ARMOBest framework immediately after they are published. A verification control for the last CVE-2021-25742, was released in just a few hours after the official CVE was published and we will continue to do so.
ARMOBest framework includes distinctive controls that can’t be found in any other framework:
In addition, ARMOBest framework includes all the security-focused controls from other frameworks, which makes it more suitable for deeper posture verification. Of course, if customers must check compliance readiness for a specific well-known framework, they should scan using that framework.
We will continuously extend ARMOBest framework with new findings combining all the field experience we gather with our users and all known vulnerabilities sources. We welcome everybody to collaborate with us and let your knowledge help others. So maybe eventually we will rename this framework to WORLDBest…😊
Click here to learn more about Kubernetes security best practices
Role-Based Access Control (RBAC) is important for managing permissions in Kubernetes environments, ensuring that users...
This guide explores the challenges of RBAC implementation, best practices for managing RBAC in Kubernetes,...
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...