How to use Kubescape for K8 Security?

black and gray laptop computer turned on doing computer codes
Reading Time: 4 minutes

Hello! Readers, today we are going to learn about Kubescape, It is an important tool when we talk about Security purposes for Kubernetes. Of course, it is an open-source technology as well.

What is Kubescape?

If you visit their website then you can find, Kubescape being defined as a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.

It is used to scan the deployment files, and helm charts as well as used to detect misconfigurations according to various frameworks such as NSA-CISA. You can use it through CLI as well as you can log in to the website and check the portal version.

If you are using Kubernetes then you need to have some security, You need to make sure your Cluster is secure and the workload inside the cluster is secure.

Security in K8

There are three principles important when it comes to security in general.

Firstly we need to make sure that the access control is secure, that is we should ensure that those processes that really need to access things, should only be able to access them.

Secondly Comes is the components or images, we need to make sure that there are not any exploits and vulnerabilities.

Thirdly the definitions, we need to make sure that the way how we define the components of our application and everything else is done well and does not pose any security risk.

So these were the main three areas that we needed to look at while thinking about the security in Kubernetes. Besides these, we do have other concerns such as no false positives

We want to reduce the number of false-positive to a minimum, If we are getting dozens of Notifications then you might ignore the important ones. We want to have a system that focuses on the important things that only matter to an important context. And this system should help in fixing the issues. We want a tool that helps to fix the issues along with detecting them.

So In this blog, we are exploring Kubescape, Let’s First Understand How to install this.

Installation of Kubescape

To Install you can simply run this command

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Install

Getting Started with Scanning Cluster

After Installing the Kubescape, You can run

Kubescape scan --submit --enable-host-scan 

This command will scan your existing cluster, In My Case, I did the scanning of my minikube cluster

cluster
Here as you see it has scanned my cluster and given the details, like the No of failed controls and the severity with other details as well.

Now if you scroll at the end, You will see the URL of the web portal, when you open it, you can directly login if you have your existing id and password, or else you can sign up and after doing that, You will get to see you scanned results. In the end, you will also see the various frameworks’ risk in percentage along with that.

portal

Also by including a verbose flag in your command, You can get a detailed view of all the scans.

Scanning Via a specific Framework in Kubescape

To Scan the cluster with nsa the framework and submit results to the Kubescape SaaS version.

kubescape scan framework nsa --submit

Similarly, you can do for  MITRE ATT&CK®

kubescape scan framework mitre --submit

Other features of Kubescape

With this, you can also scan specific namespaces, and deployment files, excluding namespaces. Suppose you want to scan a particular deployment file before deploying it or if you want to scan files from a Github repository then you can do that as well.

Scan specific namespaces

kubescape scan --include-namespaces development , testing

If you want to Scan cluster and exclude some namespaces

kubescape scan --exclude-namespaces kube-system,kube-public

Scan local yaml/json files before deploying

kubescape scan *.yaml

To Scan kubernetes manifest files from a public github repository

kubescape scan [repository url]

Now Suppose you want Output in json format or XML format then You can run these commands

kubescape scan --format json --format-version v2 --output results.json

kubescape scan --format junit --output results.xml
json
xml

It also has the option to get the output in pdf or in Prometheus metrics format

Pdf

Likewise, there are many other features as well that this tool provides. It Can also be Integrated with Various CI/CD tools as well as Visual studio. You can visit their official website and explore more or You can visit their Github if you would like to contribute something to this great tool.

Conclusion:

Through this blog, you have a basic idea about how to get started with Kubescape. To learn more and explore you should visit their websites or there are various tutorials also available. If you liked this blog please do like and share.

Written by 

Passionate about Technology and always Interested to Upskill myself in new technology, Working in the field of DevOps

Leave a Reply