Static analysis tool automates YAML file and Helm chart checks to ensure Kubernetes configurations follow security best-practices and support security-as-code
StackRox, the leader in container and Kubernetes security, today announced the release of KubeLinter, its new open source static analysis tool to identify misconfigurations in Kubernetes deployments. KubeLinter offers the ability to automate the analysis of Kubernetes YAML files and Helm charts prior to deployment into a cluster to validate that Kubernetes has been configured following security best practices. This enhances developer productivity, integrating security-as-code with DevOps and DevSecOps processes while ensuring the automatic enforcement of hardened security policies for Kubernetes applications. Watch this short video for an overview of KubeLinter.
“We developed KubeLinter to provide the Kubernetes community with a better, more automated way to identify misconfigurations and deviations from best practices that limit organizations from realizing the full potential of cloud-native applications,” said Ali Golshan, StackRox co-founder and CTO. “Releasing KubeLinter as an open source tool will ultimately help Kubernetes users create hardened environments that are increasingly resistant to the inherent risks generated by the frequent configuration changes common in development practices.”
“After downloading and running the built-in checks, I was able to quickly identify several ways we could incorporate KubeLinter into our developer workflows and enforce that our Kubernetes YAML files were consistent with our policies,” said Pranava Adduri, Entrepreneur In Residence at Greylock, and a former tech lead at AWS who worked on EKS. “It works great out of the box and fills a gap previously unaddressed in the ecosystem – I can see this adding a lot of value to any team working with Kubernetes and engendering an open-source community that’ll extend its capabilities.”
According to the StackRox State of Container and Kubernetes Security Report, Fall 2020, human error causes the majority of security incidents in Kubernetes, with misconfigurations contributing to roughly 67% of cases reported by survey respondents. KubeLinter provides an automated means to carry out configuration checks, a complex, error-prone process traditionally done manually. KubeLinter can also be integrated into continuous integration (CI) systems to simplify how changes are proposed and made to YAML files and Helm charts by developers and security teams.
“If you’ve spent time crafting Kubernetes YAML files, you know it can be pretty arduous — there are so many different objects, so many knobs and dials, so many cross-references to keep track of,” said Viswajith Venugopal, StackRox software engineer and lead developer of KubeLinter. “Further, in most cases, default configurations for Kubernetes objects are geared towards making it easy for users to get their apps up-and-running quickly, and not for secure, production-ready configurations. KubeLinter is our answer to this problem.”
KubeLinter enables users to treat configurations as code and build security into the application development process earlier. In contrast to Kubernetes defaults, KubeLinter’s defaults are security-centric, so users will have to explicitly opt-in to configure Kubernetes in a manner that is considered insecure. The built-in checks provided by KubeLinter can be easily extended to include custom checks for many Kubernetes configuration parameters. As an open source tool available under the Apache 2.0 license, users will also be able to contribute to the project by extending KubeLinter with additional checks for community use.