ARMO has recently announced to have released the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). Kubescape is a tool for testing if Kubernetes is deployed securely.
Tests are configured in YAWL files, which helps to easily update when specifications for tests change. Kubescape is running the following tests according to what is defined Kubernetes Hardening Guidance by NSA and CISA: Non-root containers, immutable container filesystem, building secure container images privileged containers, hostPID, hostIPC privileges, hostNetwork access allowed hostPaths field, protecting pod service account tokens, pods in kube-system and kube-public, resource policies, control plane hardening, encrypted secrets and anonymous requests.
It is based on Open Policy Agent’s engine and ARMO’s posture controls. According to the project’s maintainers, Kubescape retrieves the Kubernetes objects from the API server and scan them by running a set of regos snippets developed by ARMO.
The results of the tests get printed in a “console friendly” manner by default, but they also can be retrieved in JSON format for further processing.
“Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops,” the maintainers wrote on the project’s GitHub page.