HPE Community
Software - General
1832433 Members
3299 Online
110042 Solutions
New Discussion

Kubescape - Simplifying Kubernetes Compliance for Everyone

 
lekhasri
HPE Pro

Tuesday - last edited Wednesday by

Tuesday - last edited Wednesday by

Kubescape - Simplifying Kubernetes Compliance for Everyone

WHAT IS KUBESCAPE?

  • Kubescape is an open source k8s security tool (CNCF sandbox project) developed by ARMO.
  • It is a vulnerability scanning tool for Kubernetes clusters and they can be scanned basing most of the popular security frameworks such as CIS, NSA, METRE ATT&CK and can generate a detailed report for further analysis and remediation and much more.

USE CASES:

  • Integrate with CI/CD
  • Identify Misconfigurations
  • Vulnerability Checks(Scan YAML/JSON Files)
  • Security Audits(Scan K8s clusters to get a detailed report)
  • Compliance Verification(NSA,MITRE ATT&CK,CIS)
  • Helm Chart Analysis(Scan helm charts)
  • IDE Integration(VS Code)

 

INSTALLATION:

  • Run the following to have kubescape up and running.

   curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash 

 

SAMPLE KUBESCAPE COMMANDS:

  •     kubescape scan - Scan your cluster against the available frameworks
  •     kubescape list frameworks - Display all supported compliance frameworks (e.g., NSA, MITRE, SOC2)
  •     kubescape list controls - Show the full list of controls available for scanning
  •     kubescape download artifacts -  Download artifacts (frameworks, controls, exceptions) for air-gapped or offline scanning.
  •     kubescape download framework <framework-name> – Download a specific framework.
  •     kubescape scan --format <json|junit|prometheus|pdf|html> --output <file-name>  - Export scan results in different formats (JSON, JUnit,  Prometheus metrics, PDF, HTML)
  •     kubescape scan --format prometheus --output scanresult - Scan the cluster and store the scan result into a file "scanresult" in prometheus format.
  •     kubescape scan --include-namespaces <namespace1, namespace2>  - Scan only specific namespaces.

 

EXAMPLE SCAN RESULT:

       

Initialized scanner
Loaded policies
Loaded exceptions
Loaded account configurations
Accessed Kubernetes objects
Control: C-0070 100% |████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (47/47, 71 it/s)
Done scanning. Cluster: default
Done aggregating results


Security posture overview for cluster: 'default'

In this overview, Kubescape shows you a summary of your cluster security posture, including the number of users who can perform administrative actions. For each result greater than 0, you should evaluate its need, and then define an exception to allow it. This baseline can be used to detect drift in future.

Control plane
┌────┬─────────────────────────────────────┬──────────────────────────────────┐
│ │ Control name │ Docs │
├────┼─────────────────────────────────────┼──────────────────────────────────┤
│ API server insecure port is enabled │ https://kubescape.io/docs/c-0005
│ Anonymous access enabled │ https://kubescape.io/docs/c-0262
│ Audit logs enabled │ https://kubescape.io/docs/c-0067
│ RBAC enabled │ https://kubescape.io/docs/c-0088
│ Secret/etcd encryption enabled │ https://kubescape.io/docs/c-0066
└────┴─────────────────────────────────────┴──────────────────────────────────┘
* failed to get cloud provider, cluster: default

Access control
┌────────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
│ Control name │ Resources │ View details │
├────────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
│ Administrative Roles │ 2 │ $ kubescape scan control C-0035 -v │
│ List Kubernetes secrets │ 3 │ $ kubescape scan control C-0015 -v │
│ Minimize access to create pods │ 3 │ $ kubescape scan control C-0188 -v │
│ Minimize wildcard use in Roles and ClusterRoles │ 2 │ $ kubescape scan control C-0187 -v │
│ Portforwarding privileges │ 2 │ $ kubescape scan control C-0063 -v │
│ Prevent containers from allowing command execution │ 2 │ $ kubescape scan control C-0002 -v │
│ Roles with delete capabilities │ 5 │ $ kubescape scan control C-0007 -v │
│ Validate admission controller (mutating) │ 0 │ $ kubescape scan control C-0039 -v │
│ Validate admission controller (validating) │ 0 │ $ kubescape scan control C-0036 -v │
└────────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘

Secrets
┌─────────────────────────────────────────────────┬───────────┬────────────────────────────────────┐
│ Control name │ Resources │ View details │
├─────────────────────────────────────────────────┼───────────┼────────────────────────────────────┤
│ Applications credentials in configuration files │ 2 │ $ kubescape scan control C-0012 -v │
└─────────────────────────────────────────────────┴───────────┴────────────────────────────────────┘

Network
┌────────────────────────┬───────────┬────────────────────────────────────┐
│ Control name │ Resources │ View details │
├────────────────────────┼───────────┼────────────────────────────────────┤
│ Missing network policy │ 5 │ $ kubescape scan control C-0260 -v │
└────────────────────────┴───────────┴────────────────────────────────────┘

Workload
┌─────────────────────────┬───────────┬────────────────────────────────────┐
│ Control name │ Resources │ View details │
├─────────────────────────┼───────────┼────────────────────────────────────┤
│ Host PID/IPC privileges │ 0 │ $ kubescape scan control C-0038 -v │
│ HostNetwork access │ 0 │ $ kubescape scan control C-0041 -v │
│ HostPath mount │ 0 │ $ kubescape scan control C-0048 -v │
│ Non-root containers │ 4 │ $ kubescape scan control C-0013 -v │
│ Privileged container │ 0 │ $ kubescape scan control C-0057 -v │
└─────────────────────────┴───────────┴────────────────────────────────────┘


Highest-stake workloads
───────────────────────

High-stakes workloads are defined as those which Kubescape estimates would have the highest impact if they were to be exploited.

1. namespace: kube-system, name: traefik, kind: Deployment
'$ kubescape scan workload Deployment/traefik --namespace kube-system'
2. namespace: kube-system, name: svclb-traefik-426278e6, kind: DaemonSet
'$ kubescape scan workload DaemonSet/svclb-traefik-426278e6 --namespace kube-system'
3. namespace: kube-system, name: local-path-provisioner, kind: Deployment
'$ kubescape scan workload Deployment/local-path-provisioner --namespace kube-system'


Compliance Score
────────────────

The compliance score is calculated by multiplying control failures by the number of failures against supported compliance frameworks. Remediate controls, or configure your cluster baseline with exceptions, to improve this score.

* MITRE: 78.86%
* NSA: 63.36%

View a full compliance report by running '$ kubescape scan framework nsa' or '$ kubescape scan framework mitre'

Learn more about kubescape? kubescape.io 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.