Secure Kubernetes with Kubescape
Inspection
Containerized environments are complex and comprise several layers, especially if Kubernetes is involved as a fleet orchestrator. Container security is a particular challenge because today's cloud stack combines so many components from so many different sources, in a more or less meaningful way, that it is not easy to keep track of and identify security updates for the various sources, finding the ones that you need for your own environment, and installing them in good time. As if that weren't enough trouble, more or less the same thing applies to compliance. Most glaring security issues are not caused by bugs, but by trivial misconfigurations that nobody notices in the review. If all the internal control processes fail, your own container landscape is left as open as the proverbial barn door in a worst case scenario.
To ensure that containerland does not turn into a horror movie, companies need to bear a few things in mind when they look to operate a large number of containers. After all, Kubernetes and others of the same ilk do not maintain themselves, and container-based approaches are no less complex than their traditional predecessors; you have to deal with even more loose ends than in conventional setups. The runtime environment for containers, Kubernetes itself, a number of on-top solutions such as the Istio service mesh, various package managers such as Helm, and the various sources from which container images can be obtained today are just a few examples.
This is where Kubescape [1] enters the scene. Its developers make some bold promises, claiming that it is the first tool that can completely automate the process of checking the entire container stack of an environment for security and compliance problems according to accepted rules (e.g., from the US National Institute of Standards and Technology (NIST), the not-for-profit MITRE organization, or the joint US National Security Agency
...Buy this article as PDF
(incl. VAT)