An open-source organization dedicated to enhancing Kubernetes security and observability using CNCF tools like Falco, OPA Gatekeeper, Prometheus, and ArgoCD.
- Security Vulnerabilities:
- No runtime intrusion detection.
- No policy enforcement for cluster compliance.
- Lack of Observability:
- Limited visibility into cluster state and threats.
- Deploying intrusion prevention mechanisms.
- Deploying intrusion detection mechanisms.
- Embracing observability and monitoring.
Kube-Shield implements a scalable security framework for Kubernetes, featuring:
- Falco: Runtime intrusion detection via system call analysis.
- OPA Gatekeeper: Policy enforcement for compliance.
- Prometheus & Grafana: Real-time metrics and dashboards.
- ArgoCD: GitOps-driven cluster management.
- crAPI: OWASP-inspired vulnerable app for security testing.
Deployed on Azure Kubernetes Service (AKS) with a web interface for rule management.
- Azure Load Balancer → Nginx Ingress.
- crAPI Namespace:
- Microservices: Identity (Java), Community (Go), Workshop (Python), Web (JS).
- Databases: MongoDB/PostgreSQL (StatefulSet + Azure PV).
- Monitoring Namespace: Prometheus + Grafana.
- OPA Namespace: Gatekeeper for policy enforcement.
- Falco Namespace: DaemonSet for runtime security.
- Prometheus Operator: Manages
ServiceMonitorsand alerts. - Node Exporter + Kube State Metrics: Cluster/node metrics.
- Grafana: Dashboards for observability.
- Web Services (JS): Orchestrates Identity/Community/Workshop.
- Databases: PostgreSQL/MongoDB with persistent storage.
- Mailhog: Email handling for Community Service.
- Falco detects anomalies (e.g., reverse shell).
- Falcosidekick forwards events to:
- Web App (for alerts).
- Fluent Bit → Cloud Logging/Elasticsearch.
- API Server → Validates requests via Gatekeeper webhook.
- Constraints: Rego policies allow/deny (e.g., resource limits).
git clone https://github.com/Kube-Shield/manifests.git
cd manifests
./build-all.sh && ./deploy.sh # Deploys the crAPI application for testing- Falco (Runtime Detection):
git clone https://github.com/Kube-Shield/intrusion-detection.git
cd intrusion-detection
./deploy.sh
2. **OPA Gatekeeper (Policy Enforcement)**:
```bash
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.19.1/deploy/gatekeeper.yaml
- Monitoring (Prometheus + Grafana):
git clone https://github.com/Kube-Shield/monitoring.git cd monitoring install-monitoring.sh
- Ghaith GTARI
- Ghaith ROUAHI
- Hamza TALBI
- Ahmed IDANI
- Oussama GHAZOUANI
⭐ Star our GitHub repo to support the project!