Hello! Readers, today we are going to learn about Kubescape, It is an important tool when we talk about Security purposes for Kubernetes. Of course, it is an open-source technology as well.
What is Kubescape?
If you visit their website then you can find, Kubescape being defined as a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.
It is used to scan the deployment files, and helm charts as well as used to detect misconfigurations according to various frameworks such as NSA-CISA. You can use it through CLI as well as you can log in to the website and check the portal version.
If you are using Kubernetes then you need to have some security, You need to make sure your Cluster is secure and the workload inside the cluster is secure.
Security in K8
There are three principles important when it comes to security in general.
Firstly we need to make sure that the access control is secure, that is we should ensure that those processes that really need to access things, should only be able to access them.
Secondly Comes is the components or images, we need to make sure that there are not any exploits and vulnerabilities.
Thirdly the definitions, we need to make sure that the way how we define the components of our application and everything else is done well and does not pose any security risk.
So these were the main three areas that we needed to look at while thinking about the security in Kubernetes. Besides these, we do have other concerns such as no false positives
We want to reduce the number of false-positive to a minimum, If we are getting dozens of Notifications then you might ignore the important ones. We want to have a system that focuses on the important things that only matter to an important context. And this system should help in fixing the issues. We want a tool that helps to fix the issues along with detecting them.
So In this blog, we are exploring Kubescape, Let’s First Understand How to install this.
Installation of Kubescape
To Install you can simply run this command
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Getting Started with Scanning Cluster
After Installing the Kubescape, You can run
Kubescape scan --submit --enable-host-scan
This command will scan your existing cluster, In My Case, I did the scanning of my minikube cluster
Now if you scroll at the end, You will see the URL of the web portal, when you open it, you can directly login if you have your existing id and password, or else you can sign up and after doing that, You will get to see you scanned results. In the end, you will also see the various frameworks’ risk in percentage along with that.
Also by including a verbose flag in your command, You can get a detailed view of all the scans.
Scanning Via a specific Framework in Kubescape
To Scan the cluster with
nsa the framework and submit results to the Kubescape SaaS version.
kubescape scan framework nsa --submit
Similarly, you can do for
kubescape scan framework mitre --submit
Other features of Kubescape
With this, you can also scan specific namespaces, and deployment files, excluding namespaces. Suppose you want to scan a particular deployment file before deploying it or if you want to scan files from a Github repository then you can do that as well.
Scan specific namespaces
kubescape scan --include-namespaces development , testing
If you want to Scan cluster and exclude some namespaces
kubescape scan --exclude-namespaces kube-system,kube-public
json files before deploying
kubescape scan *.yaml
To Scan kubernetes manifest files from a public github repository
kubescape scan [repository url]
Now Suppose you want Output in
json format or XML format then You can run these commands
kubescape scan --format json --format-version v2 --output results.json kubescape scan --format junit --output results.xml
It also has the option to get the output in pdf or in Prometheus metrics format
Likewise, there are many other features as well that this tool provides. It Can also be Integrated with Various CI/CD tools as well as Visual studio. You can visit their official website and explore more or You can visit their Github if you would like to contribute something to this great tool.
Through this blog, you have a basic idea about how to get started with Kubescape. To learn more and explore you should visit their websites or there are various tutorials also available. If you liked this blog please do like and share.