kubescape
Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Tests
Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by to NSA and CISA
- Non-root containers
- Immutable container filesystem
- Privileged containers
- hostPID, hostIPC privileges
- hostNetwork access
- allowedHostPaths field
- Protecting pod service account tokens
- Resource policies
- Control plane hardening
- Exposed dashboard
- Allow privilege escalation
- Applications credentials in configuration files
- Cluster-admin binding
- Exec into container
- Dangerous capabilities
- Insecure capabilities
Technology
Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO’s posture controls.
The tool retrieves Kubernetes objects from the API server and runs a set of regos snippets developed by ARMO.
The results by default are printed in a pretty “console friendly” manner, but they can be retrieved in JSON format for further processing.
Tests
Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by NSA and CISA
- Non-root containers
- Immutable container filesystem
- Privileged containers
- hostPID, hostIPC privileges
- hostNetwork access
- allowedHostPaths field
- Protecting pod service account tokens
- Resource policies
- Control plane hardening
- Exposed dashboard
- Allow privilege escalation
- Applications credentials in configuration files
- Cluster-admin binding
- Exec into container
- Dangerous capabilities
- Insecure capabilities
- Linux hardening
- Ingress and Egress blocked
- Container hostPort
- Network policies
- Symlink Exchange Can Allow Host Filesystem Access (CVE-2021-25741)
Install & Use
Copyright (C) 2021 armosec
