/kubescape

kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

Primary LanguageGoApache License 2.0Apache-2.0

logo

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

TL;DR

Installation

To install the tool locally, run this:

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

Run

To get a fast check of the security posture of your Kubernetes cluster, run this:

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

If you wish to scan all namespaces in your cluster, remove the --exclude-namespaces flag.

Status

build Github All Releases

How to build

  1. Clone Project
git clone git@github.com:armosec/kubescape.git kubescape && cd "$_"
  1. Build
go mod tidy && go build -o kubescape .
  1. Run
./kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
  1. Enjoy 🤪

Under the hood

Tests

Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by to NSA and CISA

  • Non-root containers
  • Immutable container filesystem
  • Privileged containers
  • hostPID, hostIPC privileges
  • hostNetwork access
  • allowedHostPaths field
  • Protecting pod service account tokens
  • Resource policies
  • Control plane hardening
  • Exposed dashboard
  • Allow privilege escalation
  • Applications credentials in configuration files
  • Cluster-admin binding
  • Exec into container
  • Dangerous capabilities
  • Insecure capabilities
  • Linux hardening

Technology

Kubescape based on OPA engine: https://github.com/open-policy-agent/opa and ARMO's posture controls.

The tools retrieves Kubernetes objects from the API server and runs a set of regos snippets developed by ARMO.

The results by default printed in a pretty "console friendly" manner, but they can be retrieved in JSON format for further processing.

Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.