Strengthening Kubernetes Security with Kubescape

Overview

In this blog, we have provided a comprehensive overview of how Kubescape empowers the maintenance of a secure Kubernetes environment through automated, scalable security assessments. Designed for modern DevSecOps and platform teams, Kubescape helps detect vulnerabilities and misconfigurations across clusters, configurations, and workloads. With support for leading industry benchmarks like NSA-CISA, MITRE ATT&CK, and CIS, it serves as a comprehensive tool for enhancing compliance and reducing risk across the Kubernetes lifecycle.

Introduction

Kubescape is a feature-rich, open-source security tool built to align with the fast-paced workflows of Kubernetes users. It simplifies identifying security gaps by scanning clusters, Helm charts, and YAML files and offering detailed compliance insights. With command-line, broad format support, and automated scan capabilities, Kubescape seamlessly fits into daily operations while supporting industry-recognized security frameworks. Created by ARMO and recognized under the CNCF sandbox, it is rapidly becoming a go-to resource for Kubernetes security automation.

Getting Started with Kubernetes Security Scans

Performing a general scan on running Kubernetes cluster:

Scans a running Kubernetes cluster.

This command inspects control plane security, access control, and secrets management. It flags insecure settings like anonymous access or open ports and provides a detailed compliance report.

NSA-CISA framework

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency(CISA)
The NSA and CISA provide recommendations to address key security challenges, urging system administrators to strengthen their Kubernetes environments. They also emphasize the importance of regularly reviewing cluster configurations and conducting vulnerability scans to manage risks and implement necessary patches.

Scans a Kubernetes cluster with the NSA framework

The tool performs an in-depth evaluation of the Kubernetes cluster’s security alignment with the NSA framework. The results indicate how many security controls passed and how many failed, helping identify possible misconfigurations or vulnerabilities. Among the failed checks, four are classified by severity, high, medium, and low, highlighting critical areas that need attention to strengthen the cluster’s overall security posture.

MITRE ATT&CK framework

Kubescape utilizes the MITRE ATT&CK framework to evaluate potential threats and vulnerabilities within Kubernetes environments. Mapping findings to known attack techniques helps users detect, understand, and mitigate security risks, thereby improving the cluster’s overall defense strategy.

Scans a Kubernetes cluster with the Mitre attack framework

Controls

ARMO provides a wide range of security controls that can be applied within established frameworks or tailored to meet specific requirements. Developed by security experts, these controls act as structured assessments covering different aspects of a system’s security posture. They include preventive, detective, and corrective measures designed to help identify and reduce the risk of potential security incidents.

Scan for a specific control using the control name or control ID

scan a specific pod

Kubescape generates an overview of a workload’s security posture, highlighting the relevant security controls based on its configuration and reporting the vulnerability status of the associated container image.

Scan a specific namespace

Kubescape provides a summary of the cluster’s security posture, including a count of users with administrative privileges. Any non-zero results should be reviewed to assess necessity, and each is factored into the overall compliance score.

Enhancing CI/CD Security Using Kubescape

As DevOps and modern engineering practices advance, they’ve enabled faster delivery of higher-quality code by embedding guardrails and validations into automated CI/CD pipelines. Incorporating security checks into these workflows has become essential. With the rise of DevSecOps, well-defined frameworks and best practices have emerged to help seamlessly integrate security into continuous integration and deployment processes.

• Integrating Security Controls in the Coding Phase

Security measures begin at the earliest stages of development, where issues like misconfigurations and vulnerabilities in formats such as JSON, YAML, or Helm charts can be detected and resolved proactively.

command to scan local YAML/JSON files

Scan Helm charts or kustomize directory

• Kubescape extension in Visual Studio Code
  The open-source Kubescape extension for VSCode offers real-time alerts for potential security issues as we write YAML files. It highlights problematic lines directly in the manifest, allowing developers to address issues on the spot, removing the need for post-edit scans, and streamlining secure coding within the editor.
• Scanning Code Repositories for Misconfigurations and Vulnerabilities

After finalizing the configuration code, it is typically pushed through the CI system, often via the CLI- and a Pull Request (PR) is created to merge into the main codebase. However, from a security perspective, it’s crucial to scan both public and private repositories and container image registries before proceeding with deployment.

Scan Kubernetes manifest files from a Git repository:

We can also scan our repository in the ARMO platform

Command to scan an image

• Continuous deployment scanning:
  After deployment, we can evaluate the security of your resources by running targeted scans on specific namespaces or YAML files using the commands below.

The Control Compliance Score

Measures the adherence to each control within a framework by comparing the number of resources that passed against the total number assessed for that specific control.

The Framework Compliance Score

It provides an overall assessment of how well the cluster complies with a specific framework, calculated by averaging the compliance scores of all individual controls within that framework

Output formats:

JSON:

Junit XML:

PDF:

Prometheus metrics:

HTML:

Conclusion

Drop a query if you have any questions regarding Kubescape and we will get back to you quickly.

About CloudThat