Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Kubernetes, often dubbed the “operating system of the cloud,” is a complex and critical piece of infrastructure in modern cloud native environments. Ensuring its security is paramount, given its intricate composition. In order for organizations to better understand the components within their Kubernetes environment and to substantially reduce risk, Aqua Security’s Trivy open source security scanner has introduced the Kubernetes Bill of Materials (KBOM).
The Gap in Kubernetes Security
Traditionally, Kubernetes security tools focused on misconfiguration and hardening. Standards for Kubernetes security were developed, such as Kubernetes’ Pod Security Policy, CIS’s Benchmark for Kubernetes, NSA/CISA’s Kubernetes Hardening Guide, and more. Aqua Security also released the open source cluster assessment tool “kube-bench,” which is incredibly popular. However, a significant gap persisted in assessing vulnerabilities within Kubernetes clusters themselves. This is particularly crucial given Kubernetes’ central role in cloud infrastructure.
The Rise of SBOM
While vulnerability scanning for Kubernetes clusters was neglected, scanning of application code and artifacts was blooming. The practice evolved over time and peaked with the popularization of the software bill of materials (SBOM) a couple of years ago. As a veteran in vulnerability scanning, Aqua Security was already leveraging the principles behind SBOMs in our offerings, but the standardization and interoperability that SBOMs brought to the industry truly signaled the maturity of the vulnerability assessment practice. Today, scanning your applications and code for vulnerabilities is a standard practice. But why stop there? We wanted to bring to Kubernetes the same level of acceptance and adoption of SBOMs in the applicative domain.
By analyzing your Kubernetes cluster with KBOM, Trivy generates a comprehensive manifest of all components used in it. This is analogous to SBOM, which focuses on workloads, but KBOM is exploring the Kubernetes cluster’s own composition. Which kubelet are you running on which node? What kind of container network interface (CNI) are you using? These are questions that KBOM was designed to answer.
Kubernetes is a complex system with many moving parts that are sometimes separately installed and configured. A Kubernetes distribution bundles select core Kubernetes components with additional necessary components to create a usable Kubernetes cluster. Accurately mapping the composition of a Kubernetes cluster not only helps a user, developer or cluster admin in maintaining the system, but also paves the way for accurate vulnerability assessments.
KBOM for Vulnerabilities
Built on the foundations of KBOM, Trivy can now offer a full vulnerability assessment of Kubernetes clusters and their core components. This leverages the official Kubernetes CVE feed, which is curated by Aqua Security to make it compatible with KBOM. This marks a significant step forward in providing full-fledged Kubernetes security.
Closing the Gap
If we think about Kubernetes as the “operating system of the cloud,” we hold it to the same standards as other operating systems when it comes to security and vulnerabilities. Trivy is already the prominent vulnerability scanner for existing operating systems, and with its recent addition of KBOM and Kubernetes vulnerability scanning, it’s completing another important milestone.
Join the Trivy community and star in on GitHub.