Securing K8s cluster with Kubescape

Pratik Singh - Mar 29 '22 - - Dev Community

This article is about securing your Kubernetes Cluster using Kubescape.

Across industries, a shift from a monolithic architecture to microservices architecture has taken place.

Kubernetes is being used by most IT companies, startups, and even banks today! And, anything that runs on production needs to be secure🔐.


Why not have a one-stop-shop for evaluating the security of our cluster🤔?

kubernetes

That's what Kubescape performs✨!


Before getting started, we need to address that this article needs some prior knowledge in the field of DevOps.

Prerequisites

  • Docker 🐳: It worked on my system?! So it will help ship your computer to the client virtually.

  • Kubernetes🛳: Well every class, needs a monitor, right?


Intro

I am Pratik Singh, currently interning at Github. I am developing LitmusChaos, a CNCF Chaos Engineering tool for Kubernetes.
In this blog, I will attempt to link my knowledge of Security and Choas.Chaos and security both aim to increase the system's reliability.


Let's get started

What is Kubescape?

Kubescape is a K8s open-source tool providing a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerabilities scanning.
Source: Here

kubernetes

Simply put, it will help to secure a running Kubernetes cluster. It will scan the cluster and rank it according to standard industry standards like MITRE, NSA, and CISA.


Why Kubescape?

kubernetes

While working at Juspay(Fintech Company) with the SRE team, I have encountered the need for such a tool. I know major companies have subteams that ensure deployments adhere to the latest industry standards. Keeping up with the latest news is crucial, as is hardening deployments with each new announcement.

  • For most parts, it saves effort and time. It may prove invaluable during critical deployments.

  • Variety of Options: Where is the cluster running? choose the target cluster🎯
    kubernetes

  • Suggestions: In addition to pointing out the vulnerabilities in your cluster, it also suggests changes😻! This provides you with the updated YAML, which directly resolves the issue🤯🤯. Right!!?

  • Custom Frameworks: If your firm has guidelines on top of the industry standards, you can update it here. So, you won't have to worry about the deployment the intern made 😂.

  • Schedule: Yup!! one can automate ⏱this process on selected clusters🤖

  • RBAC Visualizer: Falling in love😻 with this feature. Only a true DevOps guy will know the pain maintaining Roles👥 are!
    RBAC

  • Dashboard: The UI is very intuitive. The filter and sort options are real life-saver ❤.

  • Great Support: Within a day of signing up the organisation contacted me to help me onboard with the tool. They were ready to provide me a TLDR and help me with my doubts.

  • Documentation and Videos: The org has amazing Documentation✅. If you prefer video tutorials, they have a great list of tutorials📺. Here

🥵 I could go on and on (😏) about the features it provides, but moving on to my findings. Rest I am also on a learning curve and will update this article with time!


Scenarios

Image description

Case 1: Nginx Deployment

Deploying an Nginx Server on Kubernetes Cluster is like "Hello World". Personally, I've done it numerous times. But to my surprise, each deployment has several vulnerabilities🤯
Yes!! There were over nine moderate and high issues in my simple Nginx deployment, so remember this next time you're planning to use Nginx.
nginx

Case 2: LitmusChaos

Currently, I contribute to LitmusChaos, a tool that introduces Chaos into your cluster by deploying several CRDs on it. When I found KubeScape, I was intrigued by the results of these deployments.
This time I observed a mixed batch of issues.
LitmsuChaos

As an example, some of the issues were legit and needed fixing. For instance, Listing of K8 secrets. Most of the companies have their secrets on AWS KMS, so it isn't a major problem.

While some issues were subjective to the usage.
The use of Chaos Engineering involves CRDs creating, deleting, and updating events as well as being able to perform executions and destructions.

Still, I will have a lot of stuff to look into as we move forward.

Conclusion:

On the professional level, the tool is installed as a daemon-set. Not sure if many firms are going to onboard with this idea. The platform is improving the security of our cluster, but ensuring if it's reliable is the main concern. RBAC visualizer is very helpful and will be of great help to Leads and PMs in their work. Adapting to these will take a while as using and applying the suggestions on Production will be a long discussion.

Personally, I see this tool as being very useful at times. It fills a real need when it comes to DevSecOps. I would also like a dark theme.😅

Thanks for reading my article :)
If you like my content give me a follow
Twitter || Linkedin

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .