How to run a security scan on a Kubernetes Cluster

In this post, we will run a security scan on a Kubernetes cluster using Kubescape. Some time back, NSA has released the Kubernetes cluster hardening guide; this guide provides several DOs and DON’TS. The problem is manually running the guide and testing the cluster for each recommendation is a big task. Here comes the need for a cluster scanner like Kubescape. Kubescape not Just scans the recommendations given by NSA but can also scan the cluster based on the recommendations given by other security frameworks like the NSA-CISA, MITRE ATT&CK®.

Kubescape is an open-source, easy to install, easy-to-use, and well-working tool. Kubescape is not just a security/vulnerability scanner, and it also provides capabilities like image scanning, RBAC visualization, etc. Perhaps this is one of the must-have tools for every Kubernetes cluster and must be part of the CI/CD pipeline.

Installation:

Run the following command to install Kubescape in your Kubernetes cluster.  I am running this for scan for my home lab; however, this is supported on all managed servers. Total installation time should be < 1 minute.

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
Installing Kubescape...
######################################################################## 100.0%
##O=# # ######################################################################## 100.0%
#-#O=# # ######################################################################## 100.0%
Finished Installation.
Your current version is: v2.0.147
Usage: $ kubescape scan --submit --enable-host-scan

Running a cluster security scan:

Run the following command to run the security scan for your Kubernetes cluster. A Three node Cluster took around ~2 minutes to complete.

kubescape scan --submit --enable-host-scan

The above command would generate a self-explanatory table showing the security score for your cluster.  Along with the score, the table will show matrics such as which tests are failing, how many resources the tests are failing, etc. The output will also consist of a detailed explanation of why the test failed and what needs improvement. The detailed output is not displayed here for keeping the output short. Last but the best part is the GUI, which will provide a great view of the cluster, RBAC, etc.

To list the supported frameworks:
kubescape list frameworks
Supported frameworks:
* armobest
* devopsbest
* mitre
* nsa

To scan only a specific framework:

kubescape scan framework nsa
#OR
kubescape scan framework mitre
#OR
kubescape scan framework DevOpsBest
#OR do comma seperated
kubescape scan framework mitre,nsa

To run a specific type of test is a compelling way of filtering the resources based on vurnabilities.

Let’s assume you want to test the status of the cluster due to the presence of privileged pods. Here the string “Privileged container” is called a control. You can find the controller list HERE. You must explore this URL for utilizing this.

kubescape scan control "Privileged container"

Another example is running a scan to find the pods/containers having bash installed in them.

 kubescape scan control "Bash/cmd inside container"
To scan the YAML files:

To scan any Kubernetes resource manifest file, you can provide it to the “Kubescape scan” command. In the following example, a file called pod.yml is scanned for vurnabilities.

kubescape scan pod.yml
Exploring the GUI:

You can also view the image vulnerability from the GUI; there are several filters to visualize the cluster better.

:

In the below snippet, the pod called “mypod” in the default namespace has many critical, high, medium, low, negligible, and unknown vulnerabilities.

Reference:
  • https://github.com/armosec/kubescape

Leave a Comment

Your email address will not be published.

Scroll to Top