Open Source Projects

Aqua Open-Source Contributions

Aqua is committed to help the container ecosystem deliver better and more secure code. We dedicate some of our resources to create and maintain open-source projects, as well as contribute to existing ones, including Moby and Kubernetes.

Kube-Bench on Github

Kube-Bench

Automating Kubernetes security checks
Kube-Bench automates the CIS Benchmark for Kubernetes, making it easy for operators to check whether each node in their Kubernetes cluster is configured according to security best practices.

The CIS benchmark document is over 200 pages long, so it would be impractical to run through it all by hand. It includes tests that check the parameters on running Kubernetes executables, and permissions and ownership on config files, looking for settings that would leave a cluster vulnerable to attack.

Kube-Bench is written in Go, and takes YAML files for the test definitions so that it’s easy to customize the test suite if required. It can generate output in JSON format if required so that it’s easy to integrate into other automation tools.

Example of Kube-Bench results

Manifesto on Github

Manifesto

Leveraging image metadata for automation
Manifesto is command line tool for managing arbitrary metadata for a container image.

Some metadata – like the build date, Git commit of the source code, or author – is available at the point where you build a container image, but there is other information – for example a vulnerability scanning report, contact details for the team, or QA status reports – that can change throughout the lifetime of the image after it has been built.

Manifesto stores metadata in the container registry alongside the image, so that you don’t have to set up a separate database or information store. For more info, read a step-by-step explanation on our blog.

Project Moby on Github

Docker Contribution: Storage Quota

Setting disk quota per container
Aqua has contributed this capability to the Docker open source (now part of Project Moby), and it was released as part of Docker 1.13.

Limiting the ability of a container to use up disk space is a useful performance and security capability, preventing the container from hogging disk space and interfering other container activity, which is sometimes referred to as a “noisy neighbor” scenario. For example, if the following is part of the code inside a container:

fallocate -l 5GB acme.iso

the container will attempt to get 5GB of disk space blocked. With no controls in place, this might cause serious deterioration or crash of the underlying host.

Implementing a quota prevents this from happening. The implementation utilizes XFS project quotas to set a hard limit on the disk usage of a container directory.

Securosis Whitepaper
Assembling a Container Security Program
Download
eBook for DevOps
Five Things DevOps Need to Know
About Securing Containers
Download