Kubescape Decoded: Making Kubernetes Safety Simple

Albert Weng
5 min readOct 29, 2023

Today, let’s talk about a tool for secure and compliant Kubernetes scanning. It helps ensure your Kubernetes setup and app deployments follow best security practices and identifies potential security issues.

Finding any potential leads

Here’s what this article will cover:

  1. What is Kubescape?
  2. Deploying Kubescape
  3. Basic Usage
  4. Conclusion

Let’s get started!”

1. What is Kubescape?

Where’s the problem?

Kubescape is a tool for scanning Kubernetes for security compliance. But first, let’s briefly explain why we need security compliance. The main goal is to ensure that our system is secure and follows legal requirements. This is achieved through regular checks to accomplish the following key objectives:

  • Ensuring there are no risks of data leakage and loss.
  • Ensuring compliance with relevant laws and regulations (HIPAA, NIST, PCI DSS…).
  • Identifying these vulnerabilities (CVE).
  • Continuously improving.

For Kubernetes, Kubescape is a tool that helps managers efficiently achieve these goals. Its main features are:

  • Risk Assessment: Kubescape scans various components in a Kubernetes cluster, such as Pods, Services, Roles, ConfigMaps, Secrets, and more. It checks their configurations for potential security risks, like privilege escalations, insecure permission settings, and vulnerabilities.
  • Custom Configuration: Kubescape lets you define custom configuration files to check for specific security policies and best practices according to your needs.
  • Security Reports: After the scan is complete, Kubescape generates detailed security reports listing the identified issues and recommended remediation steps.

Kubescape has a user-friendly command-line interface with various output options and an automatic scanning feature. It also offers an online dashboard for smaller clusters.

You can use Kubescape to scan active clusters, YAML files, and Helm Charts. It checks for misconfigurations based on various security frameworks like NSA-CISA and CIS Benchmark. Kubescape is developed by ARMO and is a part of CNCF projects.

2. Deploying Kubescape

Let’s look at how to set up Kubescape in Kubernetes.

#-------------------------------------------
# S2-1. Verify the current status
#-------------------------------------------
[master]# kubectl get nodes
#-------------------------------------------
# S2-2. Install & Run
#-------------------------------------------
[master]# wget https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh
[master]# chmod +x install.sh ; ./install.sh
#-------------------------------------------
# S2-3. Scan the cluster and generate a PDF file
#-------------------------------------------
[master]# kubescape scan --enable-host-scan --format pdf --output results.pdf --verbose

If the report can be generated correctly, it means the installation was successful. Next, we’ll proceed with some basic operations.

3. Basic Usage

#-------------------------------------------
# S3-1. specific namespace
#-------------------------------------------
[master]# kubescape scan --include-namespaces kube-system
#-------------------------------------------
# S3-2. Scan specific files before deployment
#-------------------------------------------
[master]# kubescape scan /root/networking/ingress-controller/nginx-community/nginx-ingress-controller/manifests/*.yaml
#-------------------------------------------
# S3-3. Scan using different frameworks
#-------------------------------------------
[master]# kubescape scan framework nsa
[master]# kubescape scan framework mitre

4. Conclusion

In general, environments used within a company invariably need to meet various security requirements. Besides careful planning before deployment and regular version updates, administrators also rely on external tools to assist in scanning and uncovering any potential issues that might have gone unnoticed.

Moreover, different audits and checks demand specific reports. Kubescape can apply standards tailored to various industries, allowing management teams to conduct scans that best suit their industry and ensure their environment meets industry standards.

Finally, here are a few use cases to consider when determining if Kubescape might be needed:

  • Security Audits and Remediation: Utilize Kubescape for regular security audits of your production Kubernetes clusters. Identify potential security issues, such as improper permission configurations or containers running in privileged mode, and take measures to address these problems to enhance system security.
  • Compliance Testing: When there’s a need to comply with specific standards, such as GDPR or HIPAA, Kubescape can be used to ensure the configuration of the Kubernetes environment aligns with these requirements. This helps prevent violations of legal regulations and reduces compliance risks.
  • Container Image Security Checks: Kubescape can perform security checks not only on cluster configurations but also on container images. Organizations can use it to ensure that the container images they use do not contain known vulnerabilities or malicious software, thus reducing the risk of attacks.
  • CI/CD Security: Integrating Kubescape into your CI/CD pipeline allows for automatic security audits before deployment. This ensures the security of new code or container images and prevents potential issues from entering the production environment.
  • Ensuring Cloud-Native Application Service Security: When building and deploying cloud-native apps, Kubescape helps secure both the application and the underlying infrastructure, protecting every part of a microservices setup.
  • Testing New Security Policies: Kubescape is valuable for testing and verifying new security policies, like access control or network policies, to ensure they function correctly and don’t introduce insecure configurations.

Integrating tools like Kubescape into DevSecOps processes and considering the mentioned scenarios ensures the security of containerized applications in Kubernetes environments. This reduces potential risks, enhances application security, and ensures Kubernetes cluster configurations adhere to best practices. In today’s modern environments with an increasing reliance on container services, using such tools is a vital skill to ensure security in this field.

--

--

Albert Weng

You don't have to be great to start, but you have to start to be great