Introduction
Kubescape is a free tool that improves Kubernetes security by scanning clusters and detecting YAML files that are not compliant with security standards such as the National Security Agency(NSA) guidelines. It also scans for image vulnerabilities. After scanning and analyzing your cluster it will output your cluster’s risk analysis into a report in PDF or JSON format.
In this article, you will learn how to scan your Kubernetes cluster using Kubescape. In addition, you will learn how to analyze the Kubescape scan results.
Prerequisites
You need to have installed Kubectl and have a running cluster before starting this tutorial.
How to Install Kubescape
The Kubescape is available on Windows, macOS, and Linux. This tutorial will give cover install on Windows, Linux, and MacOS.
Installing Kubescape CLI on Windows
Use the following command to install Kubescape CLI on Windows using Powershell:
$ iwr -useb raw.githubusercontent.com/armosec/kubescape.. | iex
If you have downloaded Kubescape successfully without errors, you will get the following output:
There is a possibility that the installation process might fail because Powershell has not been enabled or you can get an error that says “the internet explorer engine is not available”. To resolve the latter error, go ahead and download internet explorer. After you have installed the internet explorer start the Kubescape installation procedure; this time it will install successfully.
Also, change the execution policy and enable Powershell using the following command if you had an installation error:
$ Set-ExecutionPolicy RemoteSigned -scope CurrentUser
Installing Kubescape CLI on macOS
Use the following two commands to install Kubescape using Homebrew. If you don’t have Homebrew, go ahead and download it from brew. 1. Start by adding the Kubescape GitHub repository:
$ brew tap armosec/kubescape
Install Kubescape:
$ brew install kubescape
Installing Kubescape CLI on Linux
Go ahead and download Kubescape CLI binary files from GitHub. For now, Kubescape has only Ubuntu binary files.
Successful Installation Confirmation and Using Kubescape -H Command
Use the following to check the Kubescape version:
$ kubescape version
You will get the following output if Kubescape has been downloaded successfully:
Your current version is: v2.0.152
Use the following command to get all the available commands:
$ kubescape -h
You will get the following output:
You can also get extra information on a certain command by adding the -h flag. For example:
$ kubescape scan -h
You will get the following examples on how to use the above command:
How to Scan Your Kubernetes Cluster Using Kubescape
Security compliance standards are a set of rules, guidelines, and procedures that show developers how to protect their clusters and production environments. Most of all, these security compliance standards are used to gauge the competency of organizations and individuals in securing their software.
Kubescape uses security compliance standards and security frameworks such as MITRE ATT&CK and National Security Agency(NSA) to analyze security risks and vulnerabilities found in your cluster. The MITRE ATT&CK framework is used to describe security and model threats; while the NSA has a list of recommendations that guide developers on how they can secure their clusters.
The kubescape scan command scans every Kubernetes object available in your cluster and helm charts installed on your cluster. It has the following flags:
--submit: This flag sends the scan results to the Armo management portal. --enable-host-scan: This flag deploys the ARMO K8s host-sensor DaemonSet that collects valuable and unlimited information from your host machine about your cluster. --verbose: This flag displays all the resources scanned.``
Use the following command to scan your cluster:
$ kubescape scan --submit --enable-host-scan --format-version v2 --verbose
This scanning command will output all the security analyses of every object in your cluster. From the scan results, I have picked the deployment object’s results which I will use to teach how to analyze the scan results in the next subsection.
How to Analyze Kubescape Scan Results
The following table contains the risk analysis of the deployment object. The risk analysis has the following fields:
- Threat severity: This field measures how critical the threat is. There are three levels of a threat, which are: High, Medium, and Low.
- Control Name: This field states the name of the component or aspect being analyzed.
- Docs: This field contains the link that redirects you to a page that contains information about the risk and threat detected during the scan.
- Assistant remediation: This field contains changes that can be made to your YAML file or cluster in order to eliminate the threat.
Vulnerabilities that are classified as High should be fixed within a short period of time. Use the information from the Docs and Assistance Remediation columns to help you fix the vulnerability detected.
The --verbose flag has limitations as the displayed results can be overwhelming and lead to Powershell clearing the first details. To solve this issue, convert the scan results to PDF using the following command:
$ kubescape scan --format pdf --output results.pdf
The scan results.pdf file will be saved in your clusters directory or the directory you are currently using when scanning the cluster. The results will look like this in PDF format:
Kubescape allows you to scan the cluster using your desired security framework such as the NSA framework. All you have to do is state the name of the framework as shown below:
$ kubescape scan framework nsa --submit --format pdf --output nsa.pdf
You will get the following output:
You can also specifically scan containers that have escalated and privilege rights; by adding the control which is “Privileged container”:
$ kubescape scan control "Privileged container" --format pdf --output privcontainer.pdf
You will get the following output:
How to Scan a Specific YAML File
Since you now know how to scan a Kubernetes cluster using Kubescape, it’s now time to scan a specific YAML file. I have created a YAML file called logger.yaml which contains the contents that are used to write logs to the standard output stream per second. I will scan this file using Kubescape. Here are the contents of the YAML file:
Use the following command to scan the above YAML file:
$ kubescape scan logger.yaml --format pdf --output logger.pdf
You will get the following output:
Conclusion
Threat visibility is a key component in security analysis as it keeps you alert and informs you about all the risks available in your cluster that can be exploited by hackers. Scanning your clusters and YAML files consistently is the best way to start your security audit sessions as they show you all the vulnerabilities that need to be solved immediately.
When your production environment has passed the Kubescape scan with a 0% risk, your cluster will be compliant with the NSA and MITRE and other frameworks. You can go ahead and apply for different compliance badges. These badges will boost your business’s brand and many clients will trust your services because the security badge is a symbol of high security standards.