Granting Access to Kubernetes Clusters

Once Kubescape is ready to launch on the local system, simply typing kubescape should display a help text on the screen. Without further preparations, you would simply see an error message if you call the

kubescape scan --verbose

command. For Kubescape to examine a Kubernetes cluster, it needs to know where the nodes are and, of course, access them. The Kubescape developers' implementation is exemplary; they use the same cluster configuration that is also used for kubectl – the main management tool for K8s in general. However, if you set up your own host for Kubescape operation, as recommended, you will probably not have this configuration.

The quick fix for the problem if you already have a system with kubectl running is simply to copy the entire ~/.kube/ folder from that system to the Kubescape host, including ~/.kube/config, which contains the access data for Kubernetes. The kubeconfig files are produced by K8s at least once during the initial setup of the cluster (Figure 2); for existing K8s systems, you will – at the least – find it on the host on which the Kubernetes setup was carried out.

Figure 2: For Kubescape to work, you need to store the kubeconfig file, which is also the basis for kubectl. Installation tools such as kind create the file automatically.

Tools such as OpenShift often also display the kubectl configuration on the screen during their setup, allowing it to be backed up independently. The chances are basically good that the file is available on a system if the call to

kubectl cluster-info

works. Incidentally, kubectl should also exist on the host on which you later call kubescape. The K8s developers explain how to do this in their instructions [3]. In most cases, however, you just need to install the kubectl package with your distribution's package manager.

First Launch

Now you can start looking for security and compliance issues with Kubescape. The

kubescape scan --verbose

command starts an extensive scan that checks the target instance of K8s for all the rules it contains. As described, this includes MITRE and NSA frameworks, as well as some rules from Kubescape's own ruleset. Once the program has finished its work – and this can take quite a while, depending on the scope of the installation – it displays a table with the findings. However, interpreting them is not as easy for the untrained eye as you might expect or desire.

The table shown in Figure 3 is initially divided into five columns. The first column is easy: It explains the severity of an issue or a deviation from the compliance regulations. Basically, if entries classified as Critical or High appear, increased vigilance and typically rapid intervention are the order of the day. Column 2 shows the name of the test performed; you need to develop a feel for working with Kubescape because it is often not clear at first glance whether an issue relates to compliance or security.

Figure 3: At the end of a Kubescape run, the tool outputs a complete overview of all the issues it identified. By default, the MITRE and NSA frameworks determine what constitutes an issue.

At least if Kubescape detects a problem that has a CVE number, it usually uses this number in the Control Name column. Incidentally, the name of this column is derived by the names of individual checkpoints, which in the context of compliance certification, are typically referred to as controls [4]. Kubescape is exemplary in that most of the controls have descriptive names. Disable anonymous access to Kubelet service , for example, clearly informs you of the issue (anonymous access to the kubelet is permitted) and also provides appropriate instructions.

The next two columns, Failed Resources and All Resources , on the other hand, regularly prompt exasperation. However, fear not; whereas Kubescape lists the resources that it has checked in a Kubernetes cluster in the All Resources column, the Failed Resources column lists the subset of the total number of services checked that Kubescape has identified as non-compliant in the context of a specific control entry.

The crux of the matter is that not every Kubescape control relates exclusively to resources in Kubernetes. It can happen that Kubescape finds critical errors but displays 0 in both columns, as in the example of anonymous access to the Kubelet service. These are not errors then that can be assigned to individual resources in K8s, but to either errors in components of the K8s infrastructure itself or meta checks. If too many tests for controls in the Medium category fail, for example, Kubescape displays a separate warning.

Finally, the last column records the percent compliance of an environment with regard to certain controls. Any control that displays a message (e.g., Action Required ) instead of a value in this field, is an immediate prompt for you to take action. Otherwise, a value indicates how many of the tested resources in Kubernetes meet the specifications. Above the table Kubescape provides an overview and, below, a more detailed presentation of compliance fulfillment in terms of the applied rules (i.e., MITRE, NSA, or both).

If you are not familiar with the Kubescape tabular output format, you can use the --format parameter to extend the output, including JSON, PDF, or HTML format:

kubescan scan --format json --format-version v2 --output results.json2
kubescan scan --format pdf --output results.pdf
kubescan scan --format html --output results.html

If you want Kubescan to list the resources that have passed all tests, as well, add the --verbose parameter.

Special Tasks

Kubescape also can be used outside a running Kubernetes cluster to check resources before they even find their way into the cluster. For example, if you have a local folder full of YAML or JSON files that you want to transfer to Kubernetes later by running kubectl apply, you can run either of

kubescape scan *.yaml
kubescape scan *.json

for a command-line check directly in the folder. The same approach works with a local folder full of Helm charts, which you can simply pass in to kubescape scan as a parameter.