Kubernetes hardening using KubeScape

A colleague of mine suggested that I ought to investigate Kubescape as we were talking about Kubernetes group solidifying. Kubescape is an open source apparatus that systematizes the Kubernetes solidifying direction by the NSA and CISA. I will detail my excursion of revelation involving Kubescape with the expectation that it assists the you with accomplishing higher security baselines for your Kubernetes clusters.

Installation

The fact that you download and execute makes kubescape a parallel. They have the introduce arrangement process characterized here anyway I hate twist to pipe orders and on second thought went to the deliveries area and downloaded the fitting parallel for my foundation and set it in my way. From my shell I could then test that the establishment of the paired was fruitful by running the accompanying order.

$ kubescape -h
Kubescape is a tool for testing Kubernetes security posture based on NSA specifications.
Usage:
  kubescape [command]
Available Commands:
  completion  generate the autocompletion script for the specified shell
  download    Download framework controls
  help        Help about any command
  scan        Scan the current running cluster or yaml files
Flags:
  -h, --help   help for kubescape
Use "kubescape [command] --help" for more information about a command.

Running Kubescape

There are two fundamental ways of running Kubescape. You can either play out a sweep of a running Kubernetes group OR sweep the area of Kubernetes asset shows. The result of the instrument is pass/fall flat/cautioning direction on whether your Kubernetes assets are consistent to the solidifying direction. We should take a stab at running Kubescape on a running bunch. You can do that by running the accompanying order. This order expects that you have a kubeconfig record in the default area. The accompanying order plays out a sweep every one of the assets in all namespaces With the exception of those that are prohibited by the banner.

$ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
ARMO security scanner starting
[progress] Downloading/Loading framework definitions
[success] Downloaded/Loaded framework
[progress] Accessing Kubernetes objects
W0910 21:29:44.139597   38285 warnings.go:70] batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
[success] Accessed successfully to Kubernetes objects, let’s start!!!
[progress] Scanning cluster
◑ [success] Done scanning cluster
[control: Allow privilege escalation] passed 👍
Description: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Summary - Passed:8   Warning:0   Failed:0   Total:8
[control: Allowed hostPath] failed 😥
Description: Mounting host directory to the container can be abused to get access to sensitive data and gain persistence on the host machine.
   Namespace security-profiles-operator
      DaemonSet - spod

From the result above you can see the sweep is begun and afterward you can see the result of every individual test that is run. For each test that is run the result gives subtleties of the assets that aren't agreeable to that particular approach. I have deliberately managed the result above since it's very lengthy. I will dive into a few individual segments beneath. We should investigate the sweep synopsis which is toward the finish of the sweep yield. You can see every one of the tests that have been run and the results of each test.

Let’s also take a look at the output from a specific test.

You can see the for this test name Programmed planning of administration account that 12 assets fizzled. You can likewise the names of the assets that aren't agreeable. The synopsis of a similar result is likewise present in the outline table above. You can likewise run Kubescape against Kubernetes shows which is an extraordinary method for halting infringement before the assets are sent to a Kubernetes group. The result is indistinguishable as checking a running Kubernetes group as seen previously. Here is a model order:

$ kubescape scan framework nsa nginx.yaml

You can also run it against a directory, URL, or wildcard filenames.

Summary :

Kubescape is an easy way to determine if Kubernetes resources meet the guidelines provided in the NSA and CISA Kubernetes hardening guide. Using tools like this makes it easy to improve the overall security posture of the workloads running on your Kubernetes clusters and I hope to see many new frameworks being integrated into tools like Kubescape.