Kubernetes hardening using Kubescape
A friend of mine recommended that I should take a look at Kubescape as we were chatting about Kubernetes cluster hardening. Kubescape is an open source tool that codifies the Kubernetes hardening guidance by the NSA and CISA. I will detail my journey of discovery using Kubescape in the hope that it helps the you achieve higher security baselines for your Kubernetes clusters.
Installation
Kubescape is a binary that you download and execute. They have the install setup process defined here however I’m not a fan of curl to pipe commands and instead went to the releases section and downloaded the appropriate binary for my platform and placed it in my path. From my shell I could then test that the installation of the binary was successful by running the following command.
$ kubescape -h
Kubescape is a tool for testing Kubernetes security posture based on NSA specifications.Usage:
kubescape [command]Available Commands:
completion generate the autocompletion script for the specified shell
download Download framework controls
help Help about any command
scan Scan the current running cluster or yaml filesFlags:
-h, --help help for kubescapeUse "kubescape [command] --help" for more information about a command.
Running Kubescape
There are two main ways to run Kubescape. You can either perform a scan of a running Kubernetes cluster OR scan the location of Kubernetes resource manifests. The output of the tool is pass/fail/warning guidance on whether or not your Kubernetes resources are compliant to the hardening guidance. Let’s try running Kubescape on a running cluster. You can do that by running the following command. This command assumes that you have a kubeconfig file in the default location. The following command performs a scan all the resources in all namespaces EXCEPT those that are excluded by the flag.
$ kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
ARMO security scanner starting
[progress] Downloading/Loading framework definitions
[success] Downloaded/Loaded framework
[progress] Accessing Kubernetes objects
W0910 21:29:44.139597 38285 warnings.go:70] batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
[success] Accessed successfully to Kubernetes objects, let’s start!!!
[progress] Scanning cluster
◑ [success] Done scanning cluster
[control: Allow privilege escalation] passed 👍
Description: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Summary - Passed:8 Warning:0 Failed:0 Total:8[control: Allowed hostPath] failed 😥
Description: Mounting host directory to the container can be abused to get access to sensitive data and gain persistence on the host machine.
Namespace security-profiles-operator
DaemonSet - spod...
From the output above you can see the scan is started and then you can see the output of each individual test that is run. For each test that’s run the output provides details of the resources that aren’t compliant to that specific policy. I have intentionally trimmed the output above because it’s quite long. I will dig into some individual sections below. Let’s take a look at the scan summary which is at the end of the scan output. You can see all the tests that have been run and the outcomes of each test.
Let’s also take a look at the output from a specific test.
You can see the for this test name Automatic mapping of service account that 12 resources failed. You can also the names of the resources that aren’t compliant. The summary of the same output is also present in the summary table above.
You can also run Kubescape against Kubernetes manifests which is a great way to stop violations before the resources are deployed to a Kubernetes cluster. The output is identical as scanning a running Kubernetes cluster as seen above. Here is an example command:
$ kubescape scan framework nsa nginx.yamlYou can also run it against a directory, URL, or wildcard filenames.
Summary
Kubescape is an easy way to determine if Kubernetes resources meet the guidelines provided in the NSA and CISA Kubernetes hardening guide. Using tools like this makes it easy to improve the overall security posture of the workloads running on your Kubernetes clusters and I hope to see many new frameworks being integrated into tools like Kubescape.
