Ultimate DevSecOps Bootcamp by School of Devops: Securing Kubernetes Deployments
Делаю:
2026.01.04
Устанавливаю Single Node Kubernetes Environment
Running CIS Benchmark Scans
https://dev-sec.io/baselines/kubernetes/
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
$ cd ~/tmp
$ git clone https://github.com/dev-sec/cis-kubernetes-benchmark
$ inspec exec ~/tmp/cis-kubernetes-benchmark
Profile Summary: 46 successful controls, 34 control failures, 42 controls skipped
Test Summary: 85 successful, 59 failures, 44 skipped
Here is your license key: free-72b8655e-a93d-45f6-b12a-f871ef1f5d0e-3709
Kube Bench
$ cd ~/tmp
$ git clone https://github.com/aquasecurity/kube-bench.git
$ cd kube-bench
$ kubectl apply -f job.yaml
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-hnnsx 0/1 Pending 0 51s
$ kubectl logs kube-bench-hnnsx
Kube Hunter
$ cd ~/tmp
$ git clone https://github.com/aquasecurity/kube-hunter.git
$ cd kube-hunter
$ kubectl apply -f job.yaml
Analysing Deployment Manifests with Kube-Scan
https://kubesec.io/
$ cd ~/tmp
$ git clone https://github.com/wildmakaka/dso-demo.git
$ cd dso-demo/deploy/
$ docker run -i kubesec/kubesec scan /dev/stdin < dso-demo-deploy.yaml
$ cd ~/tmp
$ git clone https://github.com/wildmakaka/dso-demo.git
$ cd dso-demo/deploy/
$ docker run -i kubesec/kubesec scan /dev/stdin < dso-demo-deploy.yaml
stage('Scan k8s Deploy Code') {
steps {
container('docker-tools') {
sh 'kubesec scan deploy/dso-demo-deploy.yaml'
}
}
}