kubescape v1.0.116 releases: testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance
Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by to NSA and CISA
- Non-root containers
- Immutable container filesystem
- Privileged containers
- hostPID, hostIPC privileges
- hostNetwork access
- allowedHostPaths field
- Protecting pod service account tokens
- Resource policies
- Control plane hardening
- Exposed dashboard
- Allow privilege escalation
- Applications credentials in configuration files
- Cluster-admin binding
- Exec into container
- Dangerous capabilities
- Insecure capabilities
Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO’s posture controls.
The results by default are printed in a pretty “console friendly” manner, but they can be retrieved in JSON format for further processing.
Copyright (C) 2021 armosec