{"id":354515,"date":"2021-10-18T14:37:55","date_gmt":"2021-10-18T11:37:55","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/"},"modified":"2021-10-18T14:37:55","modified_gmt":"2021-10-18T11:37:55","slug":"how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/","title":{"rendered":"#How to Scan for Kubernetes Vulnerabilities With Kubescape \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2c706e93850\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2c706e93850\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Downloading_Kubescape\" >Downloading Kubescape<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Scanning_Your_Cluster\" >Scanning Your Cluster<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Scan_Results\" >Scan Results<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Scanning_Manifest_Files\" >Scanning Manifest Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Offline_Scans\" >Offline Scans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Output_Formats\" >Output Formats<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Scan for Kubernetes Vulnerabilities With Kubescape \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14301\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/20a0e4c6.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/20a0e4c6.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/20a0e4c6.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Photo of a magnifying glass in front of the Kubernetes logo on a computer screenPhoto of a magnifying glass in front of the Kubernetes logo on a computer screen\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/montreal-canada-march-08-2020-kubernetes-1698251776\">dennizn\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Kubescape is a new <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.armosec.io\/armo-kubescape\">open-source tool<\/a> from ARMO which lets you automate Kubernetes cluster scans to identify security issues. Kubescape audits your cluster against the hardening recommendations published by the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nsa.gov\/News-Features\/Feature-Stories\/Article-View\/Article\/2716980\/nsa-cisa-release-kubernetes-hardening-guidance\">NSA and CISA<\/a>.<\/p>\n<p>Here\u2019s how to install Kubescape and get started scanning your cluster. Regular scans could help you resolve issues before they\u2019re utilized by attackers.<\/p>\n<h2 id=\"downloading-kubescape\"><span class=\"ez-toc-section\" id=\"Downloading_Kubescape\"><\/span>Downloading Kubescape<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubescape is currently distributed as a pre-built binary for Windows, macOS and Ubuntu. You can <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> it directly from the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/armosec\/kubescape\/releases\">project\u2019s GitHub releases page<\/a>.<\/p>\n<p>There\u2019s also an automated install script that you can paste into your terminal. This will fetch the correct binary for your system and add it to your path.<\/p>\n<pre>curl -s https:\/\/raw.githubusercontent.com\/armosec\/kubescape\/master\/install.sh | \/bin\/bash<\/pre>\n<p>Try running <code>kubescape<\/code> to check installation is complete. You\u2019ll see a synopsis of the available commands.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14315\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/2dddfdcc.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1277\" height=\"708\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2 id=\"scanning-your-cluster\"><span class=\"ez-toc-section\" id=\"Scanning_Your_Cluster\"><\/span>Scanning Your Cluster<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes connects to your cluster using standard Kubectl config files. Set the <code>KUBECONFIG<\/code> environment variable in your shell to reference the config file for the cluster you want to scan:<\/p>\n<pre>export KUBECONFIG=.kube\/my-cluster.yaml<\/pre>\n<p>Kubescape will complain that it \u201cfailed to load Kubernetes config\u201d if this variable\u2019s not set or the specified file is invalid. Update the <code>KUBECONFIG<\/code> variable each time you execute Kubescape if you want to scan multiple clusters.<\/p>\n<p>Scans are initiated with the <code>scan<\/code> command. You need to indicate the hardening framework you want to scan against. Currently <code>nsa<\/code> is the only supported option.<\/p>\n<pre>kubescape scan framework nsa --exclude-namespaces kube-system,kube-public<\/pre>\n<p>Kubescape will scan all the resources in your cluster, except for resources in namespaces omitted by the <code>--exclude-namespaces<\/code> flag. It\u2019s recommended you list the built-in Kubernetes namespaces here as you won\u2019t be able to address any issues which are found.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14314\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/38e395b3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1797\" height=\"708\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Your first Kubescape scan might take some time as the tool needs to download its framework definitions. These define the tests your cluster is scored against. Once the scan\u2019s complete, you\u2019ll see colorized output in your terminal that details any discovered issues.<\/p>\n<h2 id=\"scan-results\"><span class=\"ez-toc-section\" id=\"Scan_Results\"><\/span>Scan Results<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Each failed test produces its own section of output with a list of the suspect resources, a description of the problem, and a re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tion hint. A table at the bottom of the report provides a summary of all the executed tests, the number of resources that failed them, and the overall success percentage.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14313\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/0ce3161e.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1277\" height=\"708\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Kubescape checks over 20 possible weaknesses based on the NSA-identified list. The <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nsa.gov\/News-Features\/Feature-Stories\/Article-View\/Article\/2716980\/nsa-cisa-release-kubernetes-hardening-guidance\">NSA\u2019s report<\/a> provides a description of the covered issues and the rationale for their inclusion. Some of the key problems which Kubescape checks for include:<\/p>\n<ul>\n<li>Privilege escalation opportunities<\/li>\n<li>Containers running in privileged mode<\/li>\n<li>Containers running with dangerous capabilities<\/li>\n<li>Exposed Kubernetes Dashboard<\/li>\n<li>Containers running as <code>root<\/code><\/li>\n<li>Credentials contained in configuration files<\/li>\n<li>Incorrectly secured control plane<\/li>\n<\/ul>\n<p>Running Kubescape lets you check your cluster\u2019s health against the current best practice guidelines, giving you more confidence that you\u2019re not putting your data and workloads at risk.<\/p>\n<h2 id=\"scanning-manifest-files\"><span class=\"ez-toc-section\" id=\"Scanning_Manifest_Files\"><\/span>Scanning Manifest Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubescape can work without a cluster connection. You can scan resource manifests stored as local YAML files, letting you check their security before you apply them to your cluster. Add an extra argument after the framework name to specify the files you want to scan:<\/p>\n<pre>kubescape scan framework nsa k8s\/*.yaml<\/pre>\n<p>You can use a URL as the file path to scan files stored remotely, such as in a Git repository.<\/p>\n<p>It\u2019s best to use the default cluster scanning mode when you\u2019re conducting a comprehensive security audit. Manifest scans are ideally incorporated into CI pipelines. Used in this way, you can avoid unintentionally introducing new vulnerabilities as you update your resources and roll them out to your cluster.<\/p>\n<h2 id=\"offline-scans\"><span class=\"ez-toc-section\" id=\"Offline_Scans\"><\/span>Offline Scans<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubescape is designed for online use as it needs to download the framework definitions before it can complete a scan. You can manually save the framework though to facilitate offline scans. You should try to update the file periodically so it doesn\u2019t become outdated.<\/p>\n<p>Download the NSA framework file:<\/p>\n<pre>kubescape download framework nsa --output nsa.json<\/pre>\n<p>Now scan your cluster using the downloaded file:<\/p>\n<pre>kubescape scan framework nsa --use-from nsa.json<\/pre>\n<p>The <code>--use-from<\/code> flag instructs Kubescape to load framework definitions from the specified file. There\u2019s also <code>--use-default<\/code> which will try to use the locally cached file in the default location when it\u2019s available. Kubescape falls back to downloading the latest definitions from the server when no file is found.<\/p>\n<h2 id=\"output-formats\"><span class=\"ez-toc-section\" id=\"Output_Formats\"><\/span>Output Formats<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubescape outputs to your terminal by default but can also produce reports in JSON or Junit format. Add the <code>-f<\/code> flag to specify your desired mode:<\/p>\n<pre>kubescape scan framework nsa -f json&#13;\nkubescape scan framework nsa -f junit<\/pre>\n<p>The latter option emits an XML file which can be consumed by test report tools that work with the Junit format. This lets you feed Kubescape scans into your existing test reporting solutions for visualization and aggregation.<\/p>\n<p>Output is emitted to your terminal\u2019s standard output stream irrespective of the report format you specify. Add the <code>-o<\/code> flag to supply a file path to save to:<\/p>\n<pre>kubescape scan framework nsa -f json -o report.json<\/pre>\n<p>Kubescape\u2019s usual progress messages can be disabled with the <code>-s<\/code> flag. This is helpful in CI scenarios where you don\u2019t want to pollute job logs with ASCII characters.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubescape lets you assess the safety of your Kubernetes clusters against the guidelines published by the NSA. The simple open-source tool provides a single command to benchmark your environment against over 20 key checks.<\/p>\n<p>Kubescape doesn\u2019t check for vulnerabilities inside the containers you run in your cluster. You\u2019ll need another tool such as <code>docker scan<\/code> or Trivy to do that. Running a container scanning engine alongside Kubescape gives you the most complete picture of your environment\u2019s security posture.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14299\/how-to-scan-for-kubernetes-vulnerabilities-with-kubescape\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Scan for Kubernetes Vulnerabilities With Kubescape \u2013 CloudSavvy IT&#8221; dennizn\/Shutterstock.com Kubescape is a new open-source tool from ARMO which lets you automate Kubernetes cluster scans to identify security issues. Kubescape audits your cluster against the hardening recommendations published by the NSA and CISA. Here\u2019s how to install Kubescape and get started scanning your&#8230;<\/p>\n","protected":false},"author":1,"featured_media":354516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/20a0e4c6.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-354515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/354515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=354515"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/354515\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/354516"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=354515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=354515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=354515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}