Kubescape is an open-source tool for testing if Kubernetes is deployed securely, as defined in the recently released Kubernetes Hardening Guidance by NSA and CISA.
About Kubernetes (“K8s”)
Kubernetes is an open-source platform for automating the deployment, scaling, and management of application containers across clusters of hosts.
“Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service. Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining,” the NSA noted when it released the aforementioned guide.
Kubescape is based on OPA (Open Policy Agent), an open-source policy engine that uses the popular rule language Rego. The tool retrieves the Kubernetes objects from the API server and scans them by running a set of Rego snippets developed by Israeli company ARMO.
Kubescape is easy to use and the results can be delivered in print (see image above) or can be retrieved in JSON format. They are easy to read and understand.
Ben Hirschberg, VP of R&D at ARMO, says that when the NSA and CISA published their guidance, they saw that the proposed approach is very similar to the best practices they offer and provide their customers.
So, they decided to open-source part of their technology and contribute it to the community as an out-of-the-box tool that will carry out the Kubernetes Hardening Guidance posture validation.
“We decided to OPA so the users can easily extend the tools with their own tests. We are currently running only the tests that are related to NSA and CISA recommendations and we focus on the most critical ones,” he told Help Net Security.
Plans for the future
The company is currently working on adding capabilities to connect it to CI/CD tools and scanning HELM charts and simple YAML files.
“We are also planning to add more tests related to other benchmarks like CIS, MITRE, PCI, and others soon,” Hirschberg noted.
Jonathan Kaftzan, VP Marketing & Business Development, ARMO, says their hope is to see Kubescape become a well-known and widely used tool by the DevOps and Kubernetes community.
“Our vision is to help the community with a simple but useful tool for scanning Kubernetes clusters to find security issues. We want to add more features like finding weak secrets and scanning containers for problems in the future,” he said.
“We welcome the community feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.”