Security Testing in Kubernetes Using ZAP and Testkube

In today’s software development landscape, ensuring the security of your applications is one of the most important yet often overlooked tasks. With the increasing adoption of containerization and Kubernetes for app deployment, it becomes crucial to strengthen your applications against vulnerabilities and attacks. One effective tool that can aid in this endeavor is the Zed Attack Proxy (ZAP).

In this blog post, we will explore why we need security testing in Kubernetes, its benefits and challenges, Understand ZAP, how TestKube simplifies Kubernetes testing, and why you should incorporate security testing with ZAP into your Kubernetes applications.

Need for Security Testing in Kubernetes

As a container orchestration platform, Kubernetes offers a distinct set of security challenges that must be addressed to maintain application availability, integrity, and confidentiality. Below are a few reasons for the need for security testing when you deploy your applications on this platform:

• Exposed Services: Applications deployed on Kubernetes expose many API endpoints on the Internet, and Kubernetes itself exposes many services, making it a prime target for attacks. Thus, regular testing is crucial to identify these vulnerabilities.
• OWASP Vulnerabilities: Common web vulnerabilities listed by OWASP, such as SQL Injection and cross-site scripting (XSS), can affect applications running on Kubernetes. Security testing against the OWASP vulnerabilities ensures that they are not present in the application, regardless of whether it operates within a Kubernetes cluster.
• Prevent Man-in-the-middle attacks: With their complex networking and distributed nature, Kubernetes environments can be particularly vulnerable to MITM attacks. Security testing is crucial to identify weaknesses in encryption, authentication, and network configurations that could allow MITM attacks.

Aside from the above reasons, several other risks are associated with deploying your application on the Kubernetes platform. Therefore, it is important to protect your application from the platform's specific risks and vulnerabilities to ensure that apps are secure and resilient in a dynamic and complex environment.

Understanding ZAP

One of the popular tools for security testing is ZAP, which is a widely adopted open source security testing tool that provides a comprehensive suite of features for detecting and mitigating security risks within web applications. It offers powerful capabilities to scan, test, and identify vulnerabilities across various layers, including the application's front end, back end, and APIs. ZAP's active and passive scanning techniques and user-friendly interface make it a popular choice for developers, security testers, and penetration testers.

Challenges ZAP Security Testing

While ZAP provides various benefits for performing safe and robust testing, it also presents some unique obstacles due to Kubernetes' complexity and dynamic nature. Here are some challenges:

• Handling Distributed Vulnerabilities: In a microservices architecture, vulnerabilities like OWASP top 10 may be spread across multiple services. ZAP must be configured to test each service independently, which can be complex to set up and maintain.
• Complex Networking and Microservices Architecture:  A microservices design enables services to communicate over the network. ZAP generally tests web application vulnerabilities, but efficiently testing the security of inter-service communication within Kubernetes requires additional configurations and parameters. 
• Test Isolation: If ZAP tests are not properly isolated, they can adversely affect the environment’s security level. To avoid these potential risks, ensure that ZAP operates in a monitored and secure Kubernetes environment.

So, now that we know about ZAP, let’s take a look at how we can bring our ZAP tests into our Kubernetes environment using Testkube.

Running a ZAP Test in Testkube

Testing with Testkube makes running ZAP tests in Kubernetes easier. As a test orchestration framework, Testkube facilitates the seamless integration of ZAP into your CI/CD pipelines and the testing of your Kubernetes-based applications.

The official ZAP Docker image, on which the executor was built, lets you run three types of tests: baseline, full, and API scans. The test creation looks slightly different depending on which functionalities you want to leverage. Not only does the type of the test (--type) need to be specified differently, but the configuration file will also have some parameters that do not work with all types.

We’ll create a Test workflow to create a ZAP Test workflow that will perform a baseline scan for the URL that we supply.

For a visual walkthrough of this tutorial, you can watch the accompanying video below before diving into the written instructions and prerequisites.

Prerequisites

• Get a Testkube account.
• Kubernetes cluster - we’re using a local Minikube cluster.
• Testkube Agent configured on the cluster.

After meeting the prerequisites, you can launch a target Kubernetes cluster with a configured Testkube agent.

Creating a Test Workflow

Navigate to the test workflow section and click the “Add New Test Workflow” button. 

A "Create a Test Workflow" dialog appears, providing you with four options to create a test workflow:

• Create from Wizard: This option displays a dialog box that guides you through creating a new test workflow. 
• Start from an Example: This option allows you to use a pre-configured example, such as k6, Playwright, Cypress, Playwright, or Postman.
• Combine Existing Workflows: This option allows you to combine and run various existing test workflows sequentially or simultaneously.
• Import a Workflow from YAML: This option allows you to import a test workflow using a YAML definition.

Create this workflow by choosing the “Create from Wizard” option.

Enter the following information into the designated field of the “Name & Type” tab:

1. Name: This field allows you to enter the name of the test workflow. Here in this field, we will use the name as zap-testkube.
2. Labels: Assign labels to test workflows so that they can be filtered. (Optional)
3. Template: Select Custom  Template to create a custom configuration from the list of options, which includes Artillery, Cypress, JMeter, k6, and others.
4. Image: This field identifies the Docker image executing the test workflow. Here, we will use the “zaproxy/zap-stable.”
5. Tag: This field specifies the version or specific build of the Docker image to use. Here, we have set the "Tag" field to "latest," signifying that the workflow will utilize the most recent version of the "zaproxy/zap-stable" Docker image.
6. Shell Command: This command indicates that the ZAP baseline scan will be run against the https://testkube.io target and a report will be generated and saved in a file name report.html. `zap-baseline.py -t https://testkube.io -r report.html`

Click Next.

In the Content tab, click “No content” from the drop-down because we have specified the shell command.

Click Next.

In the Run tab, provide the following information:

1. Execution Working Directory: We have set the directory to "/zap/wrk," which indicates the execution location for the tests.
2. Artifacts: You can specify the output files or directories the test will generate in this field. We provide “report.html” as this is where the report will be generated.
3. Environment Variables: You can add environment variables to pass configuration or secrets needed for test execution.

Click Next. The Summary tab will open, displaying the spec file generated.

We must configure mount paths so that Zap can run the baseline test. So, we’ll add that configuration to the generated yaml spec. The updated YAML spec will look like this:

kind: TestWorkflow
apiVersion: testworkflows.testkube.io/v1
metadata:
 name: zap-testkube
 namespace: testkube
spec:
 container:
   workingDir: /zap/wrk/
   image: zaproxy/zap-stable:latest
   volumeMounts:
   - name: zap-wrk
     mountPath: /zap/wrk/
 pod:
   volumes:
   - name: zap-wrk
 steps:
 - name: Run test
   shell: zap-baseline.py -t https://testkube.io -r report.html
 - name: Saving artifacts
   condition: always
   artifacts:
     paths:
     - report.html
status: {}

To set up and execute the test workflow, click the "Create & Run" button.

Executing the Test Workflow

After you click on “Create & Run,” the test workflow will start being executed.

To check real-time progress and logs, click on each step in the test procedure.

Click on the Artifacts tab to see the artifacts generated by the test. In this case, we’ll see the report.html.

Click on the report.html file to open the Zap Scanning report.

That’s how you can perform a ZAP scan for your application on Kubernetes using Testkube. To run a different type of ZAP test, change the first line to either api, full, or, in our case, baseline, and refer to the ZAP documentation to see how to define each type of test.

Get Started with ZAP Security Testing

That’s it! You’re now on your way to enhancing application security within Kubernetes with ZAP and Testkube. ZAP offers flexibility to secure your applications – by actively scanning the communication protocols and detecting vulnerabilities that could be exploited or by passively scanning traffic to identify potential security threats in real-time. This makes ZAP essential for ensuring robust security in a cloud-native landscape. 

Integrating ZAP with Testkube allows you to quickly integrate security testing into your existing processes, automate scans to protect your deployments, and seamlessly incorporate security checks into your CI/CD pipelines.

Get started with Testkube today, or visit the Testkube documentation to learn more about running distributed tests in Testkube using other testing tools. If you find yourself struggling with anything, feel free to drop a note in our active Slack community, and someone will help you out. We’re eager to hear how you use our new ZAP integration.