Strengthening Kubernetes Security with Kubescape

Overview

In this blog, we have provided a comprehensive overview of how Kubescape empowers the maintenance of a secure Kubernetes environment through automated, scalable security assessments. Designed for modern DevSecOps and platform teams, Kubescape helps detect vulnerabilities and misconfigurations across clusters, configurations, and workloads. With support for leading industry benchmarks like NSA-CISA, MITRE ATT&CK, and CIS, it serves as a comprehensive tool for enhancing compliance and reducing risk across the Kubernetes lifecycle.

Introduction

Kubescape is a feature-rich, open-source security tool built to align with the fast-paced workflows of Kubernetes users. It simplifies identifying security gaps by scanning clusters, Helm charts, and YAML files and offering detailed compliance insights. With command-line, broad format support, and automated scan capabilities, Kubescape seamlessly fits into daily operations while supporting industry-recognized security frameworks. Created by ARMO and recognized under the CNCF sandbox, it is rapidly becoming a go-to resource for Kubernetes security automation.

Getting Started with Kubernetes Security Scans

Performing a general scan on running Kubernetes cluster:

Scans a running Kubernetes cluster.

This command inspects control plane security, access control, and secrets management. It flags insecure settings like anonymous access or open ports and provides a detailed compliance report.

NSA-CISA framework

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency(CISA)
The NSA and CISA provide recommendations to address key security challenges, urging system administrators to strengthen their Kubernetes environments. They also emphasize the importance of regularly reviewing cluster configurations and conducting vulnerability scans to manage risks and implement necessary patches.

Scans a Kubernetes cluster with the NSA framework

The tool performs an in-depth evaluation of the Kubernetes cluster’s security alignment with the NSA framework. The results indicate how many security controls passed and how many failed, helping identify possible misconfigurations or vulnerabilities. Among the failed checks, four are classified by severity, high, medium, and low, highlighting critical areas that need attention to strengthen the cluster’s overall security posture.

MITRE ATT&CK framework

Kubescape utilizes the MITRE ATT&CK framework to evaluate potential threats and vulnerabilities within Kubernetes environments. Mapping findings to known attack techniques helps users detect, understand, and mitigate security risks, thereby improving the cluster’s overall defense strategy.

Scans a Kubernetes cluster with the Mitre attack framework

Controls

ARMO provides a wide range of security controls that can be applied within established frameworks or tailored to meet specific requirements. Developed by security experts, these controls act as structured assessments covering different aspects of a system’s security posture. They include preventive, detective, and corrective measures designed to help identify and reduce the risk of potential security incidents.

Scan for a specific control using the control name or control ID

scan a specific pod

Kubescape generates an overview of a workload’s security posture, highlighting the relevant security controls based on its configuration and reporting the vulnerability status of the associated container image.

Scan a specific namespace

Kubescape provides a summary of the cluster’s security posture, including a count of users with administrative privileges. Any non-zero results should be reviewed to assess necessity, and each is factored into the overall compliance score.

Enhancing CI/CD Security Using Kubescape

As DevOps and modern engineering practices advance, they’ve enabled faster delivery of higher-quality code by embedding guardrails and validations into automated CI/CD pipelines. Incorporating security checks into these workflows has become essential. With the rise of DevSecOps, well-defined frameworks and best practices have emerged to help seamlessly integrate security into continuous integration and deployment processes.

• Integrating Security Controls in the Coding Phase

Security measures begin at the earliest stages of development, where issues like misconfigurations and vulnerabilities in formats such as JSON, YAML, or Helm charts can be detected and resolved proactively.

command to scan local YAML/JSON files

Scan Helm charts or kustomize directory

• Kubescape extension in Visual Studio Code
  The open-source Kubescape extension for VSCode offers real-time alerts for potential security issues as we write YAML files. It highlights problematic lines directly in the manifest, allowing developers to address issues on the spot, removing the need for post-edit scans, and streamlining secure coding within the editor.
• Scanning Code Repositories for Misconfigurations and Vulnerabilities

After finalizing the configuration code, it is typically pushed through the CI system, often via the CLI- and a Pull Request (PR) is created to merge into the main codebase. However, from a security perspective, it’s crucial to scan both public and private repositories and container image registries before proceeding with deployment.

Scan Kubernetes manifest files from a Git repository:

We can also scan our repository in the ARMO platform

Command to scan an image

• Continuous deployment scanning:
  After deployment, we can evaluate the security of your resources by running targeted scans on specific namespaces or YAML files using the commands below.

The Control Compliance Score

Measures the adherence to each control within a framework by comparing the number of resources that passed against the total number assessed for that specific control.

The Framework Compliance Score

It provides an overall assessment of how well the cluster complies with a specific framework, calculated by averaging the compliance scores of all individual controls within that framework

Output formats:

JSON:

Junit XML:

PDF:

Prometheus metrics:

HTML:

Conclusion

Drop a query if you have any questions regarding Kubescape and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.