Cloud Computing, DevOps

5 Mins Read

Strengthening Kubernetes Security with Kubescape

Voiced by Amazon Polly

Overview

In this blog, we have provided a comprehensive overview of how Kubescape empowers the maintenance of a secure Kubernetes environment through automated, scalable security assessments. Designed for modern DevSecOps and platform teams, Kubescape helps detect vulnerabilities and misconfigurations across clusters, configurations, and workloads. With support for leading industry benchmarks like NSA-CISA, MITRE ATT&CK, and CIS, it serves as a comprehensive tool for enhancing compliance and reducing risk across the Kubernetes lifecycle.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Introduction

Kubescape is a feature-rich, open-source security tool built to align with the fast-paced workflows of Kubernetes users. It simplifies identifying security gaps by scanning clusters, Helm charts, and YAML files and offering detailed compliance insights. With command-line, broad format support, and automated scan capabilities, Kubescape seamlessly fits into daily operations while supporting industry-recognized security frameworks. Created by ARMO and recognized under the CNCF sandbox, it is rapidly becoming a go-to resource for Kubernetes security automation.

Getting Started with Kubernetes Security Scans

Performing a general scan on running Kubernetes cluster:

Scans a running Kubernetes cluster.

This command inspects control plane security, access control, and secrets management. It flags insecure settings like anonymous access or open ports and provides a detailed compliance report.

NSA-CISA framework

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency(CISA)
The NSA and CISA provide recommendations to address key security challenges, urging system administrators to strengthen their Kubernetes environments. They also emphasize the importance of regularly reviewing cluster configurations and conducting vulnerability scans to manage risks and implement necessary patches.

Scans a Kubernetes cluster with the NSA framework

The tool performs an in-depth evaluation of the Kubernetes cluster’s security alignment with the NSA framework. The results indicate how many security controls passed and how many failed, helping identify possible misconfigurations or vulnerabilities. Among the failed checks, four are classified by severity, high, medium, and low, highlighting critical areas that need attention to strengthen the cluster’s overall security posture.

kube

MITRE ATT&CK framework

Kubescape utilizes the MITRE ATT&CK framework to evaluate potential threats and vulnerabilities within Kubernetes environments. Mapping findings to known attack techniques helps users detect, understand, and mitigate security risks, thereby improving the cluster’s overall defense strategy.

Scans a Kubernetes cluster with the Mitre attack framework

kube2

Controls

ARMO provides a wide range of security controls that can be applied within established frameworks or tailored to meet specific requirements. Developed by security experts, these controls act as structured assessments covering different aspects of a system’s security posture. They include preventive, detective, and corrective measures designed to help identify and reduce the risk of potential security incidents.

Scan for a specific control using the control name or control ID

scan a specific pod

Kubescape generates an overview of a workload’s security posture, highlighting the relevant security controls based on its configuration and reporting the vulnerability status of the associated container image.

Scan a specific namespace

Kubescape provides a summary of the cluster’s security posture, including a count of users with administrative privileges. Any non-zero results should be reviewed to assess necessity, and each is factored into the overall compliance score.

kube3

Enhancing CI/CD Security Using Kubescape

As DevOps and modern engineering practices advance, they’ve enabled faster delivery of higher-quality code by embedding guardrails and validations into automated CI/CD pipelines. Incorporating security checks into these workflows has become essential. With the rise of DevSecOps, well-defined frameworks and best practices have emerged to help seamlessly integrate security into continuous integration and deployment processes.

  • Integrating Security Controls in the Coding Phase

Security measures begin at the earliest stages of development, where issues like misconfigurations and vulnerabilities in formats such as JSON, YAML, or Helm charts can be detected and resolved proactively.

command to scan local YAML/JSON files

Scan Helm charts or kustomize directory

  • Kubescape extension in Visual Studio Code
    The open-source Kubescape extension for VSCode offers real-time alerts for potential security issues as we write YAML files. It highlights problematic lines directly in the manifest, allowing developers to address issues on the spot, removing the need for post-edit scans, and streamlining secure coding within the editor.
  • Scanning Code Repositories for Misconfigurations and Vulnerabilities

After finalizing the configuration code, it is typically pushed through the CI system, often via the CLI- and a Pull Request (PR) is created to merge into the main codebase. However, from a security perspective, it’s crucial to scan both public and private repositories and container image registries before proceeding with deployment.

Scan Kubernetes manifest files from a Git repository:

We can also scan our repository in the ARMO platform

kube4

Command to scan an image

  • Continuous deployment scanning:
    After deployment, we can evaluate the security of your resources by running targeted scans on specific namespaces or YAML files using the commands below.

The Control Compliance Score

Measures the adherence to each control within a framework by comparing the number of resources that passed against the total number assessed for that specific control.

The Framework Compliance Score

It provides an overall assessment of how well the cluster complies with a specific framework, calculated by averaging the compliance scores of all individual controls within that framework

Output formats:

JSON:

Junit XML:

PDF:

Prometheus metrics:

HTML:

Conclusion

Kubescape is a powerful, open-source security scanner designed specifically for Kubernetes environments. Whether the DevSecOps engineer setting up CI/CD security guardrails or a platform engineer focused on securing workloads at runtime, Kubescape is equipped with the tools to detect and address misconfigurations and vulnerabilities throughout every development lifecycle phase.

Drop a query if you have any questions regarding Kubescape and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Is Kubescape free to use?

ANS: – Yes, Kubescape is an open-source tool endorsed by the CNCF.

2. What is the difference between control and framework compliance scores?

ANS: – Control compliance scores measure adherence for specific tests, while framework scores average all related control scores for a full picture.

WRITTEN BY Abhilasha D

Abhilasha D is a Research Associate-DevOps at CloudThat. She is focused on gaining knowledge of Cloud environment and DevOps tools. She has keen interest in learning and researching on emerging technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!