Using Kubescape to Scan Kubernetes

7 minute read     Updated:

Boemo Wame Mmopelwa %
Boemo Wame Mmopelwa

Kubescape is a free tool that improves Kubernetes security by scanning clusters and detecting YAML files that are not compliant with security standards such as the National Security Agency(NSA) guidelines. It also scans for image vulnerabilities. After scanning and analyzing your cluster it will output your cluster’s risk analysis into a report in PDF or JSON format.

In this tutorial, you will learn how to scan your Kubernetes cluster using Kubescape. In addition, you will learn how to analyze the Kubescape scan results.

Prerequisites

You need to have installed Kubectl and have a running cluster before starting this tutorial.

How to Install Kubescape

The Kubescape is available on Windows, macOS, and Linux. This tutorial will give cover install on Windows, Linux, and MacOS.

Installing Kubescape CLI on Windows

Use the following command to install Kubescape CLI on Windows using Powershell:

$ iwr -useb https://raw.githubusercontent.com/armosec/kubescape/master/install.ps1 | iex

If you have downloaded Kubescape successfully without errors, you will get the following output:

Installing Kubescape...
Finished Installation

There is a possibility that the installation process might fail because Powershell has not been enabled or you can get an error that says “the internet explorer engine is not available”. To resolve the latter error, go ahead and download internet explorer. After you have installed the internet explorer start the Kubescape installation procedure; this time it will install successfully.

Also, change the execution policy and enable Powershell using the following command if you had an installation error:

$ Set-ExecutionPolicy RemoteSigned -scope CurrentUser

Installing Kubescape CLI on macOS

Use the following two commands to install Kubescape using Homebrew. If you don’t have Homebrew, go ahead and download it from brew. 1. Start by adding the Kubescape GitHub repository:

$ brew tap armosec/kubescape
  1. Install Kubescape:
$ brew install kubescape

Installing Kubescape CLI on Linux

Go ahead and download Kubescape CLI binary files from GitHub. For now, Kubescape has only Ubuntu binary files.

Successful Installation Confirmation and Using Kubescape -H Command

Use the following to check the Kubescape version:

$ kubescape version

You will get the following output if Kubescape has been downloaded successfully:

Your current version is: v2.0.152

Use the following command to get all the available commands:

$ kubescape -h

You will get the following output:

Based on NSA \ MITRE ATT&CK(r) and other frameworks specifications

Usage:
  kubescape [command]

Examples:

  # Scan command
  kubescape scan --submit

  # List supported frameworks
  kubescape list frameworks

  # Download artifacts (air-gapped environment support)
  kubescape download artifacts

  # View cached configurations
  kubescape config view


Available Commands:
  completion  Generate autocompletion script
  config      Handle cached configurations
  delete      Delete configurations in Kubescape SaaS version
  download    Download controls-inputs,exceptions,control,framework,artifacts
  help        Help about any command
  list        List frameworks/controls will list the supported frameworks and controls
  scan        Scan the current running cluster or yaml files
  submit      Submit an object to the Kubescape SaaS version
  version     Get current version

You can also get extra information on a certain command by adding the -h flag. For example:

$ kubescape scan -h

You will get the following examples on how to use the above command:

The action you want to perform

Usage:
  kubescape scan [flags]
  kubescape scan [command]

Examples:

  Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defind frameworks

  # Scan current cluster with all frameworks
  kubescape scan --submit --enable-host-scan --verbose

  # Scan kubernetes YAML manifest files
  kubescape scan *.yaml

  # Scan and save the results in the JSON format
  kubescape scan --format json --output results.json

  # Display all resources
  kubescape scan --verbose

  # Scan different clusters from the kubectl context
  kubescape scan --kube-context <kubernetes context>

How to Scan Your Kubernetes Cluster Using Kubescape

Security compliance standards are a set of rules, guidelines, and procedures that show developers how to protect their clusters and production environments. Most of all, these security compliance standards are used to gauge the competency of organizations and individuals in securing their software.

Kubescape uses security compliance standards and security frameworks such as MITRE ATT&CK and National Security Agency(NSA) to analyze security risks and vulnerabilities found in your cluster. The MITRE ATT&CK framework is used to describe security and model threats; while the NSA has a list of recommendations that guide developers on how they can secure their clusters.

The kubescape scan command scans every Kubernetes object available in your cluster and helm charts installed on your cluster. It has the following flags:

  • --submit: This flag sends the scan results to the Armo management portal.
  • --enable-host-scan: This flag deploys the ARMO K8s host-sensor DaemonSet that collects valuable and unlimited information from your host machine about your cluster.
  • --verbose: This flag displays all the resources scanned.``

Use the following command to scan your cluster:

$ kubescape scan --submit --enable-host-scan --format-version v2 --verbose 

This scanning command will output all the security analyses of every object in your cluster. From the scan results, I have picked the deployment object’s results which I will use to teach how to analyze the scan results in the next subsection.

How to Analyze Kubescape Scan Results

The following table contains the risk analysis of the deployment object. The risk analysis has the following fields:

  • Threat severity: This field measures how critical the threat is. There are three levels of a threat, which are: High, Medium, and Low.
  • Control Name: This field states the name of the component or aspect being analyzed.
  • Docs: This field contains the link that redirects you to a page that contains information about the risk and threat detected during the scan.
  • Assistant remediation: This field contains changes that can be made to your YAML file or cluster in order to eliminate the threat.
SEVERITY CONTROL NAME DOCS ASSISTANT REMEDIATION
High Resources CPU limit and request
https://hub.armo.cloud/docs/c-0050 spec.template.spec.containers[0] .resources.limits.cpu=YOUR_VALUE

spec.template.spec.containers[0] .resources.requests.cpu=YOUR_VALUE

Medium
Automatic mapping of service account

CVE-2022-0492-cgroups-container-escape

Ingress and Egress blocked

Non-root containers

https://hub.armo.cloud/docs/c-0034

https://hub.armo.cloud/docs/c-0086

https://hub.armo.cloud/docs/c-0030

https://hub.armo.cloud/docs/c-0013

spec.template.spec.automountServiceAccountToken=false

spec.securityContext.runAsNonRoot=true

spec.securityContext.runAsNonRoot=true

Low K8s common labels usage

Label usage for resources

Resource policies

https://hub.armo.cloud/docs/c-0077

https://hub.armo.cloud/docs/c-0076

https://hub.armo.cloud/docs/c-0009

metadata.labels=YOUR_VALUE

spec.template.metadata.labels=YOUR_VALUE

spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

Vulnerabilities that are classified as High should be fixed within a short period of time. Use the information from the Docs and Assistance Remediation columns to help you fix the vulnerability detected.

The --verbose flag has limitations as the displayed results can be overwhelming and lead to Powershell clearing the first details. To solve this issue, convert the scan results to PDF using the following command:

$ kubescape scan --format pdf --output results.pdf

The scan results.pdf file will be saved in your clusters directory or the directory you are currently using when scanning the cluster. The results will look like this in PDF format:

Cluster Scan Results

Kubescape allows you to scan the cluster using your desired security framework such as the NSA framework. All you have to do is state the name of the framework as shown below:

$ kubescape scan framework nsa --submit --format pdf --output nsa.pdf

You will get the following output:

NSA framework scan results

You can also specifically scan containers that have escalated and privilege rights; by adding the control which is “Privileged container”:

$ kubescape scan control "Privileged container" --format pdf --output privcontainer.pdf

You will get the following output:

How to Scan a Specific YAML File

Since you now know how to scan a Kubernetes cluster using Kubescape, it’s now time to scan a specific YAML file. I have created a YAML file called logger.yaml which contains the contents that are used to write logs to the standard output stream per second. I will scan this file using Kubescape. Here are the contents of the YAML file:

apiVersion: v1
kind: Pod
metadata:
  name: logger
spec:
  containers:
  - name: count
    image: busybox:1.28
    args: [/bin/sh, -c,
            'i=0; while true; do echo "$i: $(date)"; i=$((i+1)); sleep 1; done']

Use the following command to scan the above YAML file:

$ kubescape scan logger.yaml --format pdf --output logger.pdf

You will get the following output:

Scan results of logger.yaml

Conclusion

Threat visibility is a key component in security analysis as it keeps you alert and informs you about all the risks available in your cluster that can be exploited by hackers. Scanning your clusters and YAML files consistently is the best way to start your security audit sessions as they show you all the vulnerabilities that need to be solved immediately.

When your production environment has passed the Kubescape scan with a 0% risk, your cluster will be compliant with the NSA and MITRE and other frameworks. You can go ahead and apply for different compliance badges. These badges will boost your business’s brand and many clients will trust your services because the security badge is a symbol of high security standards.

While you’re here:

Earthly is the effortless CI/CD framework.
Develop CI/CD pipelines locally and run them anywhere!

Boemo Wame Mmopelwa %
Boemo Wame Mmopelwa

Boemo is a software developer who embraces innovative approaches. He likes diving deep into complex concepts in order to learn and write articles that can help the reader understand complex methodologies in a simple and fun way.

Categories:

Updated:

Get notified about new articles!

We won't send you spam. Unsubscribe at any time.