StackRox announced the release of
KubeLinter, its new open source static analysis tool to identify
misconfigurations in Kubernetes deployments. KubeLinter offers the ability to
automate the analysis of Kubernetes YAML files and Helm charts prior to
deployment into a cluster to validate that Kubernetes has been configured
following security best practices. This enhances developer productivity,
integrating security-as-code with DevOps and DevSecOps processes while ensuring
the automatic enforcement of hardened security policies for Kubernetes
applications.
"We
developed KubeLinter to provide the Kubernetes community with a better, more
automated way to identify misconfigurations and deviations from best practices
that limit organizations from realizing the full potential of cloud-native
applications," said Ali Golshan, StackRox co-founder and CTO. "Releasing
KubeLinter as an open source tool will ultimately help Kubernetes users create
hardened environments that are increasingly resistant to the inherent risks
generated by the frequent configuration changes common in development
practices."
"After
downloading and running the built-in checks, I was able to quickly identify
several ways we could incorporate KubeLinter into our developer workflows and
enforce that our Kubernetes YAML files were consistent with our policies",
said Pranava Adduri, Entrepreneur In Residence at Greylock, and a former tech
lead at AWS who worked on EKS. "It works great out of the box and fills a
gap previously unaddressed in the ecosystem - I can see this adding a lot of
value to any team working with Kubernetes and engendering an open-source
community that'll extend its capabilities."
According
to the StackRox State of
Container and Kubernetes Security Report, Fall 2020, human error causes the
majority of security incidents in Kubernetes, with misconfigurations
contributing to roughly 67% of cases reported by survey respondents. KubeLinter
provides an automated means to carry out configuration checks, a complex,
error-prone process traditionally done manually. KubeLinter can also be
integrated into continuous integration (CI) systems to simplify how changes are
proposed and made to YAML files and Helm charts by developers and security
teams.
"If
you've spent time crafting Kubernetes YAML files, you know it can be pretty
arduous -- there are so many different objects, so many knobs and dials, so
many cross-references to keep track of," said Viswajith Venugopal, StackRox
software engineer and lead developer of KubeLinter. "Further, in most cases,
default configurations for Kubernetes objects are geared towards making it easy
for users to get their apps up-and-running quickly, and not for secure,
production-ready configurations. KubeLinter is our answer to this problem."
KubeLinter
enables users to treat configurations as code and build security into the
application development process earlier. In contrast to Kubernetes defaults,
KubeLinter's defaults are security-centric, so users will have to explicitly
opt-in to configure Kubernetes in a manner that is considered insecure. The
built-in checks provided by KubeLinter can be easily extended to include custom
checks for many Kubernetes configuration parameters. As an open source tool
available under the Apache 2.0 license, users will also be able to contribute
to the project by extending KubeLinter with additional checks for community
use.
To
download and get started with KubeLinter, visit GitHub: https://github.com/stackrox/kube-linter.