Kubernetes has taken the tech world by storm. It is an innovative and powerful platform for container orchestration, enabling organizations to streamline the deployment, scaling, and management of their applications. But nothing in the tech world is immune to security attacks, and Kubernetes has seen its fair share of vulnerabilities.
According to a recent report, 93% of respondents experienced at least one Kubernetes-related security incident within the prior 12 months, and 31% suffered revenue or customer loss. Common security challenges range from misconfigurations to node, API, and data vulnerabilities.
To help you navigate this treacherous terrain, we’re discussing Kubescape, an invaluable tool to protect your Kubernetes Containers, and show you how to use it to monitor your Kubernetes’ security.
Kubescape, created by ARMO, is a powerful tool designed to protect Kubernetes containers by ensuring they adhere to security best practices and remain compliant. Its primary purpose is to analyze Kubernetes deployments against a predefined set of rules, known as the Kubernetes Hardening Guide, but you can also set your custom policies.
You can integrate Kubescape with existing Continuous Integration/Continuous Deployment (CI/CD) pipelines and manually scan code or automatically trigger scans through IDE integrations. The results can be exported in various formats, such as JSON or HTML, allowing seamless integration into your existing reporting and auditing processes.
Kubescape can also help you improve performance metrics such as Mean Time to Detect (MTTD) and Change Failure Rate, strengthening your overall security posture. Jit now supports Kubescape - so you easily integrate this tool into your workflows and automate scans across various software lifecycle stages.
Earlier this year, the Cloud Native Computing Foundation (CNCF) accepted Kubescape as a sandbox project. This recognition signifies that Kubescape is seen as a valuable addition to the CNCF ecosystem, aligning with its mission to foster and advance the adoption of cloud-native technologies.
Kubescape analyzes your Kubernetes deployment configurations against the Kubernetes Hardening Guide. This guide is based on NSA and CISA guidelines, providing a comprehensive set of controls designed to help protect your Kubernetes infrastructure. The rules are divided into four main categories, each addressing specific areas of concern:
Incorporating Kubescape into your security strategy complements other essential practices, such as Web Application Security Testing, ensuring comprehensive protection against various threats.
This short tutorial takes you through the end-to-end process of running Kubescape to effectively track security improvements and ensure your Kubernetes environment remains secure and compliant with the Kubernetes Hardening Guide.
Before using Kubescape, you must install the Kubescape Command Line Interface (CLI) on your system. The installation process varies depending on your operating system:
Run the following command in your terminal to install Kubescape:
After completing the installation, you can verify that Kubescape is correctly installed by running the kubescape --version in your terminal or command prompt. This command should display the current version of Kubescape.
To run Kubescape on a Kubernetes cluster, retrieve the current cluster configuration using the kubectl command and then pass it to Kubescape for analysis.
Ensure you have kubectl installed and configured to connect to your Kubernetes cluster. You can verify this by running kubectl cluster-info. This command should return information about your cluster.
Run the following command to fetch the entire cluster configuration and use Kubescape to analyze it against the Kubernetes Hardening Guide:
Let's break down the command and explain each part:
You can scan your entire Kubernetes environment with Kubescape in one go and receive the results in a human-readable YAML format, making it easier to analyze and act upon any identified security issues.
After running Kubescape on your cluster, you will receive an output report. To effectively explore the running cluster configuration, follow these steps:
Here is an illustrative example of what a Kubescape output report might look like. Please note this is a simplified example, and actual output will vary based on your Kubernetes environment and any potential security issues it might have.
In the example output report above:
This output can help you identify and prioritize security issues based on their severity and provide remediation recommendations to fix them. Remember, the above example is a simplified representation. The actual output could contain more detailed information depending on the complexity of your Kubernetes deployment and its security status.
Scanning Kubernetes manifest files using Kubescape helps identify and fix security issues before deployment. To review your manifest files:
kubescape --manifest <path-to-your-manifest-file> --format yaml
After implementing recommended remediations and running Kubescape on your updated manifest files or running cluster, follow these steps to examine the new output:
As Kubernetes doesn't inherently prioritize security, it's crucial to adopt a proactive DevSecOps approach and prioritize safety when managing your containers. This is where Kubescape can become an indispensable tool.
At Jit, we understand the importance of building a secure, compliant, and resilient Kubernetes infrastructure by prioritizing security throughout the entire development lifecycle. With our orchestration platform, you can seamlessly integrate Kubescape into your workflows, benefit from its robust scanning capabilities and automate scans of existing K8S manifest files and every newly created PR.
Start your free account with Jit today to automate security and scan your K8s manifest files before deployment.