Last Updated on April 16, 2024
If your development team uses Kubernetes (and who doesn’t these days?) you might wonder whether your clusters are configured according to best practices, and how to automatically flag misconfigurations and other potential vulnerabilities in your Kubernetes security.
Enter Kubescape, one of the fastest-growing Kubernetes security and compliance open-source projects. Kubescape helps automate misconfiguration scanning, security compliance checks, and risk analysis—saving teams time, effort, and resources.
The blog post introduces Kubescape and how it can benefit DevOps teams looking to “shift security left” and embrace DevSecOps across the software development lifecycle (SDLC).
What are Kubescape use cases?
Kubescape has been created to address the growing need for DevOps teams to enforce compliance with Kubernetes security standards and best practices, especially the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) hardening guidance.
Testing against these long laundry lists of parameters to identify issues within a Kubernetes cluster has been a big issue for DevSecOps teams. Kubescape got its start by automating the tests outlined in the primary hardening guidance and reporting on your results.
Originally created by ARMO, Kubescape is now a Cloud Native Computing Foundation (CNCF) sandbox project. The tool now has over 100,000 users and over 100 contributors today.
Through the proprietary ARMO Platform, Kubescape’s functionality has been broadened to include roles-based access control (RBAC) testing within multi-cluster Kubernetes environments, as well as probing for known vulnerabilities and flagging the highest-risk issues based on exploitability and other contextual factors.
What are Kubescape’s main features and benefits?
Users report that one of Kubescape’s biggest advantages is rapid time to value and an organic fit with their current workflow. Many DevOps teams start to see time savings and new security insights within a few minutes of installing Kubescape.
Key benefits of Kubescape include:
- CI/CD ready security.
Kubescape helps teams “shift security left” by automating Kubernetes security and compliance testing within current DevOps workflows. It becomes quick and easy to incorporate security gates across your SDLC. - Multi-cloud support.
Kubescape works with your choice of public clouds and Kubernetes distributions. - Compliance reporting.
With Kubescape you can base your compliance testing on any (or all) of the leading Kubernetes security frameworks, including NSA-CSA, CIS Benchmarks, and/or MITRE ATT&CK. - Container hardening.
Kubescape makes it much faster and easier to identify and fix misconfigurations and other vulnerabilities before they contribute to a cybersecurity incident.
Key features for developers include:
- Native integrations with popular IDEs and CI/CD platforms.
- Ease of use so you can quickly scan and start detecting and fixing misconfigurations.
- Guardrails and remediation advice to support security across the SDLC.
What is ARMO Platform?
ARMO Platform is an enterprise class commercial product that extends the value of the open-source Kubescape solution. A multi-cloud and multi-cluster Kubernetes and CI/CD security platform and management dashboard, ARMO Platform expands Kubescape’s hardening and compliance insights along with enhanced misconfiguration scanning and remediation automation. ARMO Platform also includes prioritized reporting on container image vulnerabilities and an RBAC investigation tool.
Key ARMO Platform capabilities include:
- Working across multiple Kubernetes clusters through a single pane of glass, whereas Kubescape operates on individual clusters only.
- Automatically blocking attack paths into your Kubernetes clusters by remediating the most critical security issues.
- Automating over 90% of the most important checks so you can meet compliance requirements with minimal impact on your DevSecOps team.
- Reducing CVE-related noise by over 95% by combining runtime context with threat intelligence, so you can focus on the highest-risk alerts.
- Automatically analyzing network traffic and generating detailed policies to increase reliability with minimal time spent.
- Runtime detection and response to secure your application from design through production.
- Flexible hosting options—hosted, on-premises, or cloud-based.
Protecting the Kubernetes management plane with ARMO Platform
A key advantage of ARMO Platform is it can provide not just “security within Kubernetes” but also “the security of Kubernetes”; i.e., the Kubernetes system and management plane. Many organizations are not focused on securing both containers and the control capabilities—which if compromised could make all your workloads vulnerable.
ARMO Platform can automatically give you a map of your Kubernetes management configuration and the role-based access controls on it. This can be an eye-opener for teams that find they are operating a complex, multi-cluster Kubernetes estate with default management access controls in place.
ARMO Platform can also give you detailed insight into container configurations. It can go a step beyond Kubescape to analyze what a container is doing and tell you whether you should make a change or not.
For example, the tool might flag a container or workload that is configured to permit privilege escalation, which every compliance framework recommends against. Should you change or remove the capability? What if it is critical to application functionality? It may not adhere to best practice—but is it a misconfiguration? ARMO Platform can see the wider context and make the best automated recommendation.
What’s next?
For more guidance on this topic, listen to Episode 133 of The Virtual CISO Podcast with guest Shauli Rozen, CEO and co-founder at ARMO.