Post

Embracing Enhanced Kubernetes Security with Kubescape

Posted
By Nikos Nikolakakis 3 min read

In the rapidly evolving world of Kubernetes, maintaining robust security is paramount. Kubescape, the first CNCF Kubernetes security scanner, stands out as a powerful tool designed to ensure your Kubernetes configurations are secure and compliant. In this post, we delve into the functionalities of Kubescape, examine its pros and cons, and provide a quick demo to showcase its capabilities.

What is Kubescape?

Kubescape is an open-source tool developed by ARMO, designed to scan Kubernetes clusters, Helm charts, and YAML files for security risks and compliance with several frameworks, including those recommended by the NSA and MITRE ATT&CK®. It operates as both a CLI tool and an integrated component within Kubernetes, suitable for use in CI/CD pipelines.

Installation methods

Key Features of Kubescape:

  • Comprehensive Security Scans: Kubescape assesses Kubernetes setups using over 220 security controls, covering various hardening and compliance frameworks. This includes scanning for vulnerabilities in container images and Kubernetes infrastructure.
  • eBPF Integration: By utilizing eBPF, Kubescape adds a layer of intelligence to scans, enhancing the signal-to-noise ratio of security alerts.
  • Shift-Left Approach: Kubescape supports scanning during the early stages of CI/CD pipelines, allowing developers to detect and rectify security issues before deployment.
  • Rich Output Formats: Outputs can be generated in multiple formats such as JSON, JUnit XML, PDF, and HTML, facilitating integration with other tools and systems.
  • Extensive Support for Different Scenarios: Whether it’s scanning a live cluster, Helm charts, or local YAML files, Kubescape provides flexibility in how and what you scan.

Pros of Using Kubescape:

  • Versatility: Kubescape’s ability to scan various configurations and its integration capabilities make it highly adaptable for different security needs.
  • Comprehensive Coverage: The wide range of security controls ensures thorough scrutiny of all aspects of Kubernetes security.
  • Real-Time Feedback: Integration with CI/CD pipelines helps catch vulnerabilities early in the development cycle.
  • Community and Support: As a CNCF project, Kubescape benefits from a strong community and ongoing enhancements from contributors.

Cons of Using Kubescape:

  • Complexity in Results Interpretation: Beginners may find the detailed results challenging to interpret without sufficient Kubernetes security knowledge.
  • Installation Options and Updates: While Kubescape offers multiple installation methods, including package managers and direct script executions, each method has its nuances. The script-based installation, while straightforward, does not provide automatic updates, which are crucial for maintaining security tools. Users must manually update Kubescape to benefit from the latest features and patches. This could lead to version discrepancies and potential security gaps if not regularly maintained. On the other hand, package manager installations, like those through Homebrew or APT, support easier updates but might require additional setup or permissions depending on the system.

Furthermore, installing Kubescape inside a cluster using Helm charts adds operational complexity but enables continuous scanning and integration with cluster management. This method is powerful but requires a good understanding of Kubernetes operations and Helm.

Instead of detailing the commands here, I’ve prepared a Github repo that guides you through the steps of using the Kubescape.

Example Scans

  • Framework

    1
2
3
4
5

    # NSA Framework
kubescape scan framework nsa

# MITRE ATT&CK® framework
kubescape scan framework mitre

  • Kubernetes cluster

    1

    kubescape scan --verbose

Conclusion

Kubescape is an indispensable tool for Kubernetes security, offering broad scanning capabilities that help secure clusters against modern threats. Its integration with eBPF and support for numerous output formats make it suitable for various organizational needs, though it does require some level of expertise to fully leverage. With its robust community support and continuous updates, Kubescape remains at the forefront of Kubernetes security solutions.

Kubescape Embracing Enhanced Kubernetes Security with Kubescape

sre devops kubernetes security cncf
This post is licensed under CC BY 4.0 by the author.