Tools Resources

Getting Started with Panoptica on AWS using Kubernetes Goat

author_profile
Jan Schulte
Friday, Sep 1st, 2023

In this blog you will learn how to easily secure your microservices apps running on Amazon EKS cluster using Panoptica, Cisco's cloud native application security SaaS service. We use an open source Kubernetes Goat application to see common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments.

What is Panoptica?

Panoptica is a Cisco's SaaS platform for cloud native application security, which includes Kubernetes and container security, CI/CD security, API Security, cloud infrastructure and entitlement management (CIEM), and cloud security posture management (CSPM). Read more about it on https://panoptica.app

What is Kubernetes Goat?

The Kubernetes Goat is an interactive Kubernetes security educational tool licensed under the MIT license and available on Github. Kubernetes Goat highlights common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments. It is a sample application that is designed to be intentionally vulnerable use with appropriate safeguards and at your own risk in your Kubernetes environment. Besides Kubernetes Goat, also check out other projects, such as CNAPPGoat or BestBags

Getting Started

Step 1: Run Kubernetes Goat application on AWS

Install eksctl

We need to ensure that we have eksctl installed. To install eksctl, please visit this website.

eksctl version
Kubernetes-goat eksctl version

Install kubectl

We need to ensure that we have kubectl installed and in the path. To install kubectl, please visit this page.

kubectl version
Kubernetes-goat$ Kubectl version

awscli installed and is set up with the AWS account

 We need to ensure that awscli is installed and is set up with the AWS account. Check out this website to install it.

aws --version
Kubernetes-goat$ aws version

Install helm

We need to ensure that helm package manager installed and in the path. If not refer to: helm

helm version
Kubernetes-goat$ helm version

Step 2: Setup the AWS environment

We need to ensure that our aws cli is configured. For configuring we need to run the command:

aws configure

Please make sure that you have the following information ready:

  • AWS Access Key
  • AWS Access Secret Key
  • Default region (e.g. us-east-1)
  • Default output format

Open your terminal and run the following command to set up a new EKS cluster:

eksctl create cluster --name test-eks-panoptica --region us-east-1 --node-type t4g.medium --nodes 2

This step can take up to a few minutes to create the cluster with the required number of nodes.

Once the cluster is created, we need to run the following code:

aws eks update-kubeconfig --region us-east-1 --name test-eks-panoptica

to update the ~/.kube/config file.

We can confirm it by the command:

kubectl cluster-info
Kubernetes-goat$ Kubectl cluster-info

Step 3: Run the Kubernetes Goat Application

To run the application in our cluster we need to first clone the repository using the command:

git clone <a href="https://github.com/madhuakula/kubernetes-goat.git">https://github.com/madhuakula/kubernetes-goat.git</a>

We need to navigate to the kubernetes-goat folder for the set up and the installation of the application.

Now, we run the following script to set up and deploy the Kubernetes-goat resource in our clusters:

bash setup-kubernetes-goat.sh
Kubernetes-goat$ bash setup-kubernetes goat
deployed status

Now we check the pods using the command:

kubectl get pods
Kubernetes-goat$ kubectl get pods

Run the following command to get the access of the environment:

bash access-kubernetes-goat.sh
Kubernetes-goat$ bash access-kubernetes-goat

We get the access of the UI in http://127.0.0.1:1234/

Kubernetes Goat

Step 4: Deploy Panoptica

Cisco Panoptica is a tool which provides a comprehensive security solution for containerized application managed by Kubernetes. Panoptica stands out to be the best solution for visualizing vulnerabilities within our application.

You may need to sign up for a free tier of Panoptica first. Go here to sign up.

Once logged in:

  • Navigate to DEPLOYMENTS and follow down the steps as mentioned there.
  • Create Cluster:
Connect Cluster

When filling out the form, choose a name (e.g. test-eks-panoptica) and select Amazon Elastic Kubernetes Service in the Orchestration drop down.

Under Required features, select:

  • Kubernetes Security
  • API Security
Connect Cluster - Api Security

On the API Security step, please select:

  • Istio
  • External gateways
Deployments - Advanced setting

Under Advanced Settings, please select:

  • Persistent Storage, select "Yes"
Deployments - other settings

Under Other Settings, please select:

  • Enable Fuzz test option for APIs, select "Yes"

Click Finish and then download the <cluster_name>.tar.gz file and then unzip it using the command:

tar -xzvf <cluster_name>.tar.gz
Downloads$ tar -xzvf test1.tar.gz
  • We need to run the install_bundl.sh file using the command:
./install_bundle.sh
Downloads$ install bundle

This installer deploys the necessary resources and pods into the cluster. Once finished, we can see that all the pods are deployed properly using the command:

kubectl get pods –A
Downloads$ kubectl get pods A

Explore the Panoptica dashboard

Please open the Panoptica DASHBOARD to see our pods and the insights of each pod such as securities and vulnerabilities.

Panoptica automatically scans your cluster for a variety of issues. The dashboard provides a concise summary of the most critical security risks and vulnerabilities.

Explore the Panoptica dashboard

This overview is a good starting point to start addressing security concerns with this cluster.

Kubernetes Goat Pod security posture

The runtime view provides us with a list of workloads that require attention, with the most critical on top. The interface allows you to drill down and explore further.

Kubernetes Goat Pod security posture

Risk Assessment

The risk assessment view provides a helpful overview over vulnerabilities for each image on the cluster, as well as detailed reports on permission findings.

Risk Assessment

To see specific vulnerabilities for each image, click on the <image_name>. The list shows each vulnerability with a score, link to CVE and if a new version with a fix is available.

specific vulnerabilities

While this provides you a brief overview, this setup is a great starting point to explore further and learn more about Panoptica's capabilities.

Are you ready to add the next cluster? Click on the Deployments tab to add another environment.

Not signed up yet? To sign up for a free trial (no credit card required), visit our sign-up page!

Popup Image