How to Scan Kubernetes Resources Using Kubescape

In our previous article we have understand Kubernetes understanding and about Kubescape with how to install it in different environment. In this post we are going to see How to Scan Kubernetes resources using Kubescape to secure our Kubernetes cluster.

What is Kubescape?

Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning.

How to Scan Kubernetes Cluster Using Kubescape

Security compliance standards are a set of rules, guidelines, and procedures that show developers/DevOps/SRE’s how to protect their clusters and production environments. Kubescape uses security compliance standards and security frameworks such as MITRE ATT&CK and National Security Agency(NSA) to analyze security risks and vulnerabilities found in your cluster. The MITRE ATT&CK framework is used to describe security and model threats; while the NSA has a list of recommendations that guide developers on how they can secure their clusters.

In this section will see, what are possible options available to scan our Kubernetes cluster and resources in Kubescape. To get supported option, you can use following command help command, If you are not installed the kubescape yet, please refer previous article to refer how to install it in respective environment.

# kubescape -h

You can also get detailed information on each command by adding the -h flag.

# kubescape scan -h

The kubescape scan command scans every Kubernetes object available in your cluster and helm charts installed on your cluster. It has the following flags:

  • --submit: This flag sends the scan results to the Armo management portal.
  • --enable-host-scan: This flag deploys the ARMO K8s host-sensor DaemonSet that collects valuable and unlimited information from your host machine about your cluster.
  • --verbose: This flag displays all the resources scanned.

To scan your cluster, use following command,

# kubescape scan --submit --enable-host-scan --format-version v2 --verbose

This scanning command will output all the security analyses of every object in your cluster. As you have provided the submit option it will push the result to armosec portal. So, you can view in detail by login to the portal, as below.

How to Analyze Kubescape Scan Results

The following table contains the risk analysis of the statefulset object. The risk analysis has the following fields:

  • Threat severity: This field measures how critical the threat is. There are three levels of a threat, which are: High, Medium, and Low.
  • Control Name: This field states the name of the component or aspect being analyzed.
  • Docs: This field contains the link that redirects you to a page that contains information about the risk and threat detected during the scan.
  • Assistant remediation: This field contains changes that can be made to your YAML file or cluster to eliminate the threat.

Vulnerabilities that are classified as Critical/High should be fixed immediately. Use the information from the Docs and Assistance Remediation columns to help you fix the vulnerability detected.

If you use --verbose flag it may show a greater number of lines and your terminal could clear the top ones or your CI build log may look hard to read all. To sort this, you can output the result to PDF format, so you can read it clearly or part of CI/CD process, you can store in some common areas like artifactory repo for security review. You can achieve this by adding --format pdf --output filename.pdf in scan command, as below, this supports for all the scan commands.

# kubescape scan --format pdf --output results.pdf

The scan results.pdf file will be saved in your clusters directory or the directory you are currently using when scanning the cluster.

Kubescape allows you to scan the cluster using your desired security framework such as the NSA framework. All you must do is state the name of the framework as shown below:

# kubescape scan framework nsa

To get pdf report:

# kubescape scan nsa --format pdf --output nsa.pdf

You can also specifically scan containers that have escalated and privilege rights; by adding the control which is “Privileged container”:

# kubescape scan control "Privileged container"

For pdf report.

# kubescape scan control "Privileged container" --format pdf --output container.pdf

Scan a running Kubernetes cluster with MITRE ATT&CK® framework and submit results to the Kubescape SaaS version

# kubescape scan framework mitre –submit

For PDF report,

# kubescape scan framework mitre --format pdf --output mitre.pdf

Scan specific namespaces

# kubescape scan --include-namespaces staging,production

For PDF report,

# kubescape scan --include-namespaces staging,production --format pdf --output preprod.pdf

Scan cluster and exclude some namespaces

# kubescape scan --exclude-namespaces kube-system,kube-public

For PDF report,

# kubescape scan --exclude-namespaces kube-system,kube-public --format pdf --output teamnamespace.pdf

Continue Reading it on



Discuss about #Linux, #DevOps, #Docker, #kubernetes, #HowTo’s, #cloud & IT technologies like #argocd #crossplane #azure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Discuss about #Linux, #DevOps, #Docker, #kubernetes, #HowTo’s, #cloud & IT technologies like #argocd #crossplane #azure