Hashnode

Make Kubernetes security more effective with Kubescape by ARMO

ADITYA DAS's photo
ADITYA DAS
·

8 min read

Make Kubernetes security more effective with Kubescape by ARMO

Table of contents

1. Introduction to Kubescape

Kubescape is one of the fastest-growing Kubernetes security and compliance open-source projects, by scanning clusters and detecting YAML files that are not compliant with security standards such as the National Security Agency(NSA) guidelines. It also scans for image vulnerabilities. After scanning and analyzing your cluster it will output your cluster’s risk analysis into a report in PDF or JSON format. Targeted at the DevSecOps practitioner or platform engineer, it includes risk analysis, security compliance, and misconfiguration scanning.

2. Important features

  • Kubernetes hardening :

    Kubernetes hardening involves security measures taken to harden Kubernetes clusters. This practice secures the parts of the Kubernetes architecture (e.g. the control plane, worker nodes, or containerized services) that can have flaws and incorrect configurations. If not acted on, these loopholes can be exploited by threat actors with malicious intent.

    ARMO Platform compliance and vulnerability scanning. It scans at a click of a button, on a recurring basis or triggered by an event. You can use it at different points throughout the software development life cycle to get ahead of your vulnerabilities and fix them as early as possible.

    The scan results in scoring based on the selected framework. You can run the scan multiple times, against all the available frameworks. Some of the top supported frameworks are NSA-CISA, CIS and MITRE ATT&CK. You can even create the framework that works best for you!

  • Securing CI/CD pipelines :

    The purpose of CI/CD is to automate and streamline the software development process by making small changes and additions incrementally. It helps in pushing out features faster while preventing issues that could cause release delays — or worse, that could result in an application release being rolled back.

    CI/CD is a vital part of developing and deploying cloud-native applications. It is both a conduit and a repository of assets that are critical to your organization. This makes it an attractive attack surface.

    Some of the points that can be exploited by attackers are the use of open-source third-party code. They can also come from using automation tools like GitHub actions and Jenkins. Even an image pulled from a well-established registry can be a source of misconfigurations and vulnerabilities. Developers may also fail to follow best practices for code security, which increases the attack surface.

    The goal is to detect issues as they arise, at a stage they can be easily fixed. When security, performance, and availability issues are detected after the product is complete or released, remediation can turn into a time-consuming and expensive process. Which is the direct opposite of what CI/CD seeks to achieve. Oftentimes, these issues are only discovered in production, which in the case of severe security flaws, can be catastrophic.

    ARMO Platform is there to help you achieve a secure CI/CD pipeline from the moment you write your first YAML line, through clusters in production. It works for you at every one of the four recommended security gates. Ensuring you are both quick and secure in your application development and delivery.

  • Kubernetes security compliance :

    Compliance in Kubernetes encompasses various aspects of the platform, including security, data privacy, network security, and incident response. The aim of making your Kubernetes infrastructure compliant requirements is to minimize the risk of security breaches and protect sensitive data.

    In order to protect against unauthorized access, you first need to know of potential access points that can be exploited. These can come from 3rd party images and code repositories. They can sometimes be mapped to a 3rd party product in use. Additionally, Role Based Access Management (RBAC) needs to be defined correctly and continuously watched for drift. After identifying and prioritizing vulnerabilities, you can get to the task of fixing them. Thus achieving better and compliant security. ARMO Platform is an auditor-approved product that easily illuminates Kubernetes security vulnerabilities tagged by priority.

  • Controlling Kubernetes access with RBAC :

    Role Based Access Control (RBAC) determines whether a certain subject (e.g. a user, a group or a service account) is allowed to perform a certain action on a given resource.

    ARMO Platform provides an assessment tool for RBAC configuration during posture scanning. It also provides a visualization on the current RBAC configuration status and provides advanced built-in query functions during runtime.

3. Overall architechture

  • Component architecture

  • CLI

  • Operator

4. Installation

  • Installing Kubescape for ARMO Platform

    ARMO Platform is the enterprise solution for Kubescape. It’s a ​​multi-cloud Kubernetes and CI/CD security platform with a single pane of glass including risk analysis, security compliance, misconfiguration, image vulnerability, repository and registry scanning, RBAC visualization, and more.

Sign up for ARMO Platform and create your free account. You will need your account ID to be able to submit scan results from your cluster.

If you haven't installed the Kubescape client yet, go back to our quick start and follow the instructions there. When you run kubescape, you can add your an --account option to automatically submit your results to the ARMO Platform:

kubescape scan --enable-host-scan --account=5e1ec7ed-f4c3-b33f-ca1f-00de7ec7ab1e

Testing your installation :

$ kubescape version
Your current version is: v3.14.159

  • Installing Kubescape CLI on Windows

    Use the following command to install Kubescape CLI on Windows using Powershell.

$ iwr -useb raw.githubusercontent.com/armosec/kubescape.. | iex

If you have downloaded Kubescape successfully without errors, you will get the following output,

There is a possibility that the installation process might fail because Powershell has not been enabled or you can get an error that says “the internet explorer engine is not available”. To resolve the latter error, go ahead and download internet explorer. After you have installed the internet explorer start the Kubescape installation procedure; this time it will install successfully. Also, change the execution policy and enable Powershell using the following command if you had an installation error:

$ Set-ExecutionPolicy RemoteSigned -scope CurrentUser

  • Installing Kubescape CLI on macOS

    Use the following two commands to install Kubescape using Homebrew. If you don’t have Homebrew, go ahead and download it from Brew.

    Start by adding the Kubescape GitHub repository:

      $ brew tap armosec/kubescape

    Install Kubescape:

$ brew install kubescape

  • Installing on Linux

sudo add-apt-repository ppa:kubescape/kubescape
sudo apt update
sudo apt install kubescape

  • Use the following command to get all the available commands:

$ kubescape -h

  • You can also get extra information on a certain command by adding the -h flag. For example:

$ kubescape scan -h

5. How to Scan Your Kubernetes Cluster Using Kubescape

Kubescape uses security compliance standards and security frameworks such as MITRE ATT&CK and National Security Agency(NSA) to analyze security risks and vulnerabilities found in your cluster. The MITRE ATT&CK framework is used to describe security and model threats; while the NSA has a list of recommendations that guide developers on how they can secure their clusters. The kubescape scan command scans every Kubernetes object available in your cluster and helm charts installed on your cluster. It has the following flags:

  • --submit: This flag sends the scan results to the Armo management portal.

  • --enable-host-scan: This flag deploys the ARMO K8s host-sensor DaemonSet that collects valuable and unlimited information from your host machine about your cluster.

  • verbose: This flag displays all the resources scanned.

Use the following command to scan your cluster:

$ kubescape scan --submit --enable-host-scan --format-version v2 --verbose

This scanning command will output all the security analyses of every object in your cluster.

6. How to Analyze Kubescape Scan Results

The following table contains the risk analysis of the deployment object. The risk analysis has the following fields:

  • Threat severity: This field measures how critical the threat is. There are three levels of a threat, which are: High, Medium, and Low.

  • Control Name: This field states the name of the component or aspect being analyzed.

  • Docs: This field contains the link that redirects you to a page that contains information about the risk and threat detected during the scan.

  • Assistant remediation: This field contains changes that can be made to your YAML file or cluster in order to eliminate the threat.

Vulnerabilities that are classified as High should be fixed within a short period of time. Use the information from the Docs and Assistance Remediation columns to help you fix the vulnerability detected. The --verbose flag has limitations as the displayed results can be overwhelming and lead to Powershell clearing the first details. To solve this issue, convert the scan results to PDF using the following command:

$ kubescape scan --format pdf --output results.pdf

The scan results.pdf file will be saved in your clusters directory or the directory you are currently using when scanning the cluster. The results will look like this in PDF format:

Kubescape allows you to scan the cluster using your desired security framework such as the NSA framework. All you have to do is state the name of the framework as shown below:

$ kubescape scan framework nsa --submit --format pdf --output nsa.pdf

You can also specifically scan containers that have escalated and privilege rights; by adding the control which is “Privileged container”:

$ kubescape scan control "Privileged container" --format pdf --output privcontainer.pdf

7. How to Scan a Specific YAML File

This YAML file is called logger.yaml which contains the contents that are used to write logs to the standard output stream per second. You can scan this file using Kubescape. Here are the contents of the YAML file:

Use the following command to scan the above YAML file:

$ kubescape scan logger.yaml --format pdf --output logger.pdf

8. Demo

9. Contribute & Get involved with Kubescape community

📌 Contribute to GitHub Repository

📌 Get involved to Kubescape slack channel

📌 Follow the Kubescape community on Twitter

📌 Follow the Kubescape community on Linkedin

10. Resources

🚩 https://www.armosec.io/

🚩 https://www.armosec.io/kubescape/

🚩 https://www.armosec.io/glossary/

🚩 https://youtu.be/aBFc_7-8s_A

🚩 https://youtu.be/lASBpmudfrI

🚩 https://youtu.be/iJVHIkMJK-g

🚩 https://youtu.be/qq-73XQfH3s

🚩 https://youtu.be/C-L7_jiHF9U

That's all for this blog, I hope you will learn something new. And feel free to share your thoughts and feedback, Thanks for reading.

Feel free to reach out to me 👀

Twitter 🖱

LinkedIn 🖱

Github 🖱

Did you find this article valuable?

Support Hashnode by becoming a sponsor. Any amount is appreciated!

HashnodeKubernetesOpen SourceCNCFcloud native