Eliminate Kubernetes Cluster Insecurities with Kubescape

Updated on November 21, 2023
Eliminate Kubernetes Cluster Insecurities with Kubescape header image

Security is a crucial concern for any organization that stores confidential data or services. With the rise of cloud computing, DevOps, and other digital transformation initiatives, security has increasingly become a primary focus for IT departments. Enterprises that adopt Kubernetes to power their container-based deployment strategies must also think about how to protect sensitive data and services within their Kubernetes clusters.

Kubernetes is an open-source cluster management software designed to automate the process of deploying and scaling containerized applications in any environment. As an industry standard for managing containers across multiple nodes, Kubernetes has gained traction among many IT teams that are looking for a more efficient way to deploy and manage containers across different environments. However, this adoption comes with its own set of challenges when it comes to cybersecurity.

To keep up with the ever-increasing cyberattack mitigation measurements, it is important to employ Kubernetes security tools such as Kubescape, which is a security tool developed by ARMO. It is used to scan Kubernetes cluster components and remote repositories. After scanning your cluster, Kubescape will output a detailed scan results report that goes far into giving you the detected vulnerability documentation and what configuration properties to change to eliminate the detected vulnerability. It is free and open-source.

Here are examples of solutions Kubecape will give you to solve vulnerabilities. The solutions will vary depending on the detected vulnerability.

  • Disable anonymous access to Kubelet service.
  • Enforce Kubelet client TLS authentication applications credentials in configuration files.
  • Apply Security context to your Pods and containers.
  • Ensure that encryption providers are appropriately configured.
  • Ensure that the --anonymous-auth argument is set to false.
  • Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate.

In this article, you will learn how to install Kubernetes on Linux and scan Kubernetes clusters, GitHub repositories, and YAML files.

Prerequisites

To complete this tutorial successfully, you need the following tools and platforms:

How to Install Kubescape on Linux

The Kubescape CLI can be downloaded on all Windows, macOS, and Linux versions. This tutorial covers installation for Linux only.

  1. Enter the following command to install Kubescape CLI on Linux using Homebrew:

     $ brew tap armosec/kubescape
  2. Use the following command to check the version of Kubescape version you just downloaded:

     $ kubescape version
  3. Use the following command to update Kubescape later on:

     $ kubescape update
  4. Use the following command to get all Kubescape commands and their descriptions in case you get stuck when using Kubescape for the first time:

     $ Kubescape -help

How to Analyze Kubescape Results

Before using Kubescape it is important to learn how to analyze the Kubescape scan results. Here is a comprehensive guide on analyzing Kubescape scan results.

The Kubescape scan report will have the following fields:

Control: This field tells you the resource component that is being scanned by Kubescape. Severity score: Kubescape divides various vulnerability severities into four categories:

  1. Critical
  2. High
  3. Medium
  4. Low

These categories are here to alert you to how detrimental the detected vulnerability is. Vulnerabilities that are rated as high or crucial have to be immediately solved as they pose a serious danger.

Docs: Kubescape has vast amounts of data regarding any detected vulnerability. This field will give you the documentation link of the vulnerability. This documentation will give you more details about the detected vulnerability. Remedy: This field suggests solutions you can implement to eliminate the detected vulnerability. If your containers have been given escalated privileges, Kubescape will tell you to remove the privileges. It can also go as deep as telling you what properties and arguments you should set to fix the issue.

At the bottom of the scan report table, you will see the scan results summary. The summary gives you the cluster or resource risk score. The summary will also include risk percentage analyzed by different security frameworks being used by Kubescape:

  1. DevOpsBest (risk: 8.91)
  2. ArmoBest (risk: 5.53)
  3. MITRE (risk: 1.99)
  4. CIS (risk: 9.18)
  5. NSA (risk: 6.76)
  6. AllControls (risk: 4.72)

How to Scan Your Cluster Using Kubescape

Kubernetes is vulnerable to a number of different kinds of attacks: Attackers can pose as administrators to gain access to privileged accounts. Attackers can exploit vulnerabilities in underlying components to gain access to sensitive data or disrupt services. Attackers can use misconfigured versions of Kubernetes to launch malicious attacks against other systems. To better protect your systems against these kinds of attacks, it is important to scan your cluster regularly using Kubescape to detect underlying vulnerabilities.

Use the following command to scan your cluster:

    $ kubescape scan --submit --enable-host-scan --format-version v2 --verbose

The Kubescape scan will output many detected vulnerabilities. Here is an example of detected security issues:

    +----------+--------------------------------+---------------------------------------+-------------------------------------------------------------------------+
    | SEVERITY |          CONTROL NAME          |                 DOCS                  |                          ASSISTANT REMEDIATION                          |
    +----------+--------------------------------+---------------------------------------+-------------------------------------------------------------------------+
    | High     | Apply Security Context to Your | https://hub.armosec.io/docs/cis-5.7.3 | spec.containers[0].securityContext.readOnlyRootFilesystem=true          |
    |          | Pods and Containers            |                                       | spec.containers[0].securityContext.runAsNonRoot=true                    |
    |          |                                |                                       | spec.containers[0].securityContext.allowPrivilegeEscalation=false       |
    |          |                                |                                       | spec.containers[0].securityContext.capabilities.drop=NET_RAW            |
    |          |                                |                                       | spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE            |
    +----------+--------------------------------+---------------------------------------+-------------------------------------------------------------------------+
    | Medium   | Ensure that Service Account    | https://hub.armosec.io/docs/cis-5.1.6 | spec.automountServiceAccountToken=false                                 |
    |          | Tokens are only mounted where  |                                       |                                                                         |
    |          | necessary                      |                                       |                                                                         |
    +          +--------------------------------+---------------------------------------+-------------------------------------------------------------------------+
    |          | Ensure that the                | https://hub.armosec.io/docs/cis-1.3.1 | spec.containers[0].command[18]                                          |
    |          | Controller Manager             |                                       | spec.containers[0].command[18]=--terminated-pod-gc-threshold=YOUR_VALUE |
    |          | --terminated-pod-gc-threshold  |                                       |                                                                         |
    |          | argument is set as appropriate |                                       |                                                                         |
    +----------+--------------------------------+---------------------------------------+-------------------------------------------------------------------------+
    | Low      | Ensure that the Controller     | https://hub.armosec.io/docs/cis-1.3.2 | spec.containers[0].command[18]=--profiling=false                        |
    |          | Manager --profiling argument   |                                       |                                                                         |
    |          | is set to false                |                                       |                                                                         |
    +----------+--------------------------------+---------------------------------------+-------------------------------------------------------------------------+

If you want Kubescape to release the scan results in PDF format, use the following command that adds the --output and --format pdf flags:

    $ kubescape scan --format pdf --output [enter name of file here].pdf

How to Scan Your Repository Using Kubescape

When you manage your source code in a central repository, you benefit from greater visibility and control of the changes in the code. However, these benefits come with risks. If a malicious user gains access to your repository, they can upload malicious code that will be propagated to all developers. Also, if your users don't use secure credentials for accessing the repository, they might make it accessible to unauthorized third parties.

Codebases are widely hosted in GitHub repositories to facilitate teamwork and collaboration. But, many security issues arise when working with many people on an open-source project, such as sprawling secrets. Kubescape also scans your local and remote repositories. You will need the repository link if your repository is hosted on GitHub.

Use the following command to scan your repository hosted on GitHub:

    $ kubescape scan [enter GitHub repository link here]--submit

After scanning your repositories using Kubescape, keep them up-to-date. Your source code repositories are likely to be among your most valuable digital assets. This means that you should regularly update their security software. Source code repositories often provide built-in functionality for automatically applying security updates. Installing regular updates will ensure that you have the latest security patches for your software.

Scanning Helm Charts

If your cluster or repository has a Helm chart installed, Kubescape will include it in the cluster or repository scan process. The vulnerability detected in the Helm chart will be displayed in the vulnerability scan report. You do not have to scan the Helm chart individually.

Scanning YAML Configuration Files

When deploying code to production, it is essential to reduce the risk of introducing errors and make it as easy as possible for developers to read and understand their code. YAML files are a common way of storing system configuration data. While they are straightforward to read as human-readable text, they can contain misconfigurations.

They also pose security risks if anyone can see critical data. To avoid these risks and make your deployment process easier, you should implement YAML file security best practices in your project from the get-go.

Kubescape improves YAML configuration quality by scanning them and looking for vulnerabilities. Use the following command to scan your YAML configuration file:

    $ kubescape scan first-deployment.yaml

Don't store passwords or secret data in YAML files. YAML files are not encrypted, so it is easy to read their contents as plain text. This makes them inappropriate for storing sensitive information like passwords or keys. Use secrets encrypting tools like Sealed Secrets to help you store sensitive information.

Detecting Privileged Containers Using Kubescape

Only some users have to be given root access; the same goes for containers. Docker containers are implemented on top of the Docker engine, which is run by the host machine and must be protected at all costs. Root or privileged containers have access to the host machine, unlike an ordinary container with limited access to the host machine. A privileged container is harmless on its own. The problem arises when unauthorized personnel and hackers take advantage of its unlimited access to the host machine.

When hackers have access to the host machine, the attack surface gets bigger. Hackers can steal secrets stored in the host machine and turn down servers if the hackers exploit host machine vulnerabilities. Privileged containers can also bypass security tests. That's how detrimental privileged containers can be if exploited by hackers.

Privileged containers are used when direct access to the host machine is needed for doing tasks such as mounting an S3 bucket inside a pod via FUSE and sharing host directories. However, privileged containers are a bad idea and must be discouraged at all costs. Not using privileged containers won't stop the attacker from exploiting container vulnerabilities. Still, it will reduce the surface attack as the hacker won't have access to the host machine during a security breach.

With Kubescape, you can use the following command to scan your cluster to detect privileged containers:

    $ kubescape scan control "Privileged container" --format pdf --output privcontainer.pdf

Docker also has a command you can use to check if a specific container has privileged containers. Use the following command that needs your container ID to check if your container is privileged:

    $ docker inspect --format='{{.HostConfig.Privileged}}' [enter your container ID here]

The above command will output True if your container has privileged rights and False if it does not have privileges.

Kubescape and Automation

Kubernetes has many distributed components that have to be monitored, such as:

  1. Pods
  2. Deployments
  3. Nodes
  4. Control plane
  5. API server
  6. Scheduler
  7. Kubelet
  8. Kube-proxy
  9. Services
  10. Etcd
  11. ConfigMap

The extensive Kubernetes architecture calls for more definitive security strategies and measures. This is where automation has to be optimized and used fully to close the gaps left by developers. Security automation is the utmost protection your Kubernetes environment and CI/CD pipelines could get. Humans make mistakes, and automation does not. Humans have to sleep; automation stays 24/7 monitoring your infrastructure. A well-configured automation system will do you wonders.

Kubescape can be integrated with the following CI/CD pipeline tools and platforms to improve security automation:

Kubescape will educate you on vulnerabilities you have never heard of through its documentation. Kubescape will keep you up to date regarding the security and health of your cluster.

Learn More

To learn more about Kubescape, see the project documentation.