ANSSI's Osaka Tool Enhances Kubernetes Security Analysis

The No Limit Secu podcast discusses Kubernetes security with Waren Postdame, a cloud security expert at ANSSI. Kubernetes is introduced as a container orchestrator enabling scalable and automated deployments but posing cybersecurity challenges, particularly in forensics due to its dynamic nature and lack of log persistence.

The Osaka tool (Advanced Kubernetes Architecture Security Tool), developed by ANSSI, is presented as an attack path analyzer for Kubernetes clusters, similar to BloodHound for Active Directory. It detects misconfigurations (e.g., pods in privileged mode, excessive Linux capabilities, poorly configured ClusterRoleBindings) and vulnerabilities related to exposed secrets or JWT tokens. Osaka operates offline, analyzing Kubernetes database exports (via kubectl) and using Neo4j to model attack paths. It does not support Custom Resource Definitions (CRD) or third-party products like Cilium or Kafka but covers standard Kubernetes versions.

The tool is primarily used for audits and penetration testing, with a processing time of 15 to 20 minutes for clusters of 300 pods. It does not automatically exploit vulnerabilities but identifies attack vectors. Developed in Python, it is open source and available on GitHub, with documentation for installation via Docker Compose. ANSSI is seeking contributors to improve the tool, particularly to speed up processing and support micro-VMs.