Best Practices Analysis & CVE Scanning with KubeScape

October 18, 2024
Tags:
Security
CVE
Best Practices

What is Kubescape ?

Kubescape is an open-source security tool specifically designed to evaluate the security posture of Kubernetes clusters. It identifies vulnerabilities, misconfigurations, and compliance issues, offering detailed insights that empower teams to strengthen their environments against potential threats. As a CNCF project, Kubescape is supported by a robust community of contributors, ensuring it stays at the forefront of Kubernetes security.

How to Install & Configure?

Installation

Kubescape operator can be installed using helm then Kubescape can run as a set of microservices inside a Kubernetes cluster. This allows you to continually monitor the status of a cluster, including for compliance and vulnerability management

Run the installation command:


<helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.continuousScan=enable>

Verify that the installation was successful:


<$ kubectl get pods -n kubescape
kubescape     kubescape-548d6b4577-qshb5    1/1     Running   0           60m
kubescape     kubevuln-6779c9d74b-wfgqf     1/1     Running   0           60m
kubescape     operator-5d745b5b84-ts7zq     1/1     Running   0           60m
kubescape     storage-59567854fd-hg8n8      1/1     Running   0           60m>

Let’s what is purpose each created service.

  • Kubescape - scanning cluster for misconfigurations
  • Kubevuln - scanning container images for vulnerabilities
  • Operator - scheduling scans
  • Storage - provides an aggregated API server to expose Kubescape scan data inside the cluster

To see list of added CRDs to your cluster, use the following command:


<$ kubectl api-resources | grep kubescape
applicationactivities                                     spdx.softwarecomposition.kubescape.io/v1beta1   true         ApplicationActivity
applicationprofiles                                       spdx.softwarecomposition.kubescape.io/v1beta1   true         ApplicationProfile
configurationscansummaries                                spdx.softwarecomposition.kubescape.io/v1beta1   false        ConfigurationScanSummary
generatednetworkpolicies                                  spdx.softwarecomposition.kubescape.io/v1beta1   true         GeneratedNetworkPolicy
knownservers                                              spdx.softwarecomposition.kubescape.io/v1beta1   false        KnownServer
networkneighborses                                        spdx.softwarecomposition.kubescape.io/v1beta1   true         NetworkNeighbors
openvulnerabilityexchangecontainers                       spdx.softwarecomposition.kubescape.io/v1beta1   true         OpenVulnerabilityExchangeContainer
sbomsyftfiltereds                                         spdx.softwarecomposition.kubescape.io/v1beta1   true         SBOMSyftFiltered
sbomsyfts                                                 spdx.softwarecomposition.kubescape.io/v1beta1   true         SBOMSyft
vulnerabilitymanifests                                    spdx.softwarecomposition.kubescape.io/v1beta1   true         VulnerabilityManifest
vulnerabilitymanifestsummaries                            spdx.softwarecomposition.kubescape.io/v1beta1   true         VulnerabilityManifestSummary
vulnerabilitysummaries                                    spdx.softwarecomposition.kubescape.io/v1beta1   false        VulnerabilitySummary
workloadconfigurationscans                                spdx.softwarecomposition.kubescape.io/v1beta1   true         WorkloadConfigurationScan
workloadconfigurationscansummaries                        spdx.softwarecomposition.kubescape.io/v1beta1   true         WorkloadConfigurationScanSummary>

Configuration

Here we discuss major configuration changes that need to be made to evaluate the security posture of cluster.

Scanning private registries

If you need to scan private image repositories then you can set imagePullSecrets through the helm. See this chart.

Enabling capabilities

High-level capabilities of the Kubescape Operator can be configured using the values.yaml


<capabilities:
  # ====== configuration scanning related capabilities ======
  #
  # Default configuration scanning setup
  configurationScan: enable
  # Continuous Scanning continuously evaluates the security posture of your cluster.
  continuousScan: disable
  nodeScan: enable
  # ====== Image vulnerabilities scanning related capabilities ======
  #
  vulnerabilityScan: enable
  relevancy: enable
  # Generate VEX documents alongside the image vulnerabilities report (experimental)
  vexGeneration: disable

  # ====== Runtime related capabilities ======
  #
  runtimeObservability: enable
  networkPolicyService: enable
  runtimeDetection: disable
  malwareDetection: disable
  nodeProfileService: disable
  seccompProfileService: enable

  # ====== Other capabilities ======
  #
  # This is an experimental capability with an elevated security risk. Read the
  # matching docs before enabling.
  autoUpgrading: disable
  prometheusExporter: disable
  # seccompGenerator: disable

#extra capability - service discovery option
serviceScanConfig:
  enabled : false
  interval: 1h>

Set scan scheduling frequency

  • To change the frequency of running workload configuration scans, you need to change the value of this parameter kubescapeScheduler.scanSchedule in helm.
  • To change the frequency of running vulnerability scans, you need to change the value of this parameter kubevulnScheduler.scanSchedule in helm.

Note : See the GitHub repository for the Kubescape operator to learn the full set of configuration parameters.

How to see Results?

All the compliance scanning & vulnerability scanning results will be available gradually as the scans are completed.

Compliance scanning

View Compliance summary report per namespace:


<kubectl get workloadconfigurationscansummaries>

View Compliance summary report for each workload:


<kubectl get workloadconfigurationscansummaries -A>

View Compliance detailed report for each workload:


<kubectl get workloadconfigurationscans -A>

Image Vulnerabilities scanning

View Vulnerabilities summary report per namespace:


<kubectl get vulnerabilitysummaries>

View vulnerabilities summary report for each workload/image:


<kubectl get vulnerabilitymanifestsummaries -A>

View vulnerabilities detailed report for each workload/image:


<kubectl get vulnerabilitymanifests -A>

Challenges with using KubeScape

Need to set it manually

No UI Visualization

When comes to the kubescape operator, it only provides a bunch of CRDs to visualize scan results.

Let’s solve challenges with App Insight

Installation

You can easily install the Kubescape operator through the app insight agent and no need to install Kubescape separately.

Handling Multiple Cluster

You will be able to see the security posture of all of your clusters in one place.

Data Visualization

App Insight provides a better-organized way of showing scan results to users.

Workload Scan Result

Here’s the view of the workload scan results.

Image Vulnerability Scan Result

Here’s the view of the image vulnerability scan results.

Vulnerability Alerts

You can define alert rules based on the CVE name and you will be aware immediately when one of the CVEs is found in your workload’s images.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Sandaruwan Lakshitha
Linked In

Table of content

How to Install & Configure?
How to see Results?
Challenges with using KubeScape
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

We are a diverse group of individuals from different walks of life with different cultural backgrounds, all working towards a common goal.

Randoli Inc.
First Canadian Place, 100 King Street West, Suite 5700, Toronto, ON M5X 1C7, Canada

Quick Links

Privacy Links

Social Links

© 2023 Randoli Inc. All rights reserved.