Kubescape 3.0: The Result of Lessons Learned with eBPF for Security
The rising crest of eBPF’s (Extended Berkeley Packet Filter) hype cycle is largely attributed to its capabilities to help secure applications running on Kubernetes clusters. With its monitoring and observability features, eBFP has been shown to extend its hooks for security purposes that extend from within the Linux kernel and to runtimes across highly distributed Kubernetes environments.
One project that the open source community and its creator ARMO continue to actively develop is Kubescape. Ambitions to extend eBPF’s security reach are an integral philosophy of the projects. Since its creation in 2021, the Cloud Native Computing Foundation sandbox project has benefited from 2,236 pull requests and over 9,000 stars.
ARMO discussed its ambitions to cover security needs from embedded eBPF security hooks from scans of runtimes libraries, CI/CD and during post-deployment with the introduction of Kubescape 3.0 during KubeCon. The release calls into question how realizable comprehensive security for runtimes can be for DevOps (or SecOps if you prefer) with eBPF.
When Kubescape was originally introduced in 2021, it was the first open source security scanner to support the NSA-CISA Kubernetes security guidelines. Kubescape 3.0 represents a host of changes made to the original scanner, with added functionality and a lot of focus on user experience, CTO and co-founder Benyamin Hirschberg of Kubernetes security provider ARMO said. “The scan results of Kubescape 3.0 are a beginning rather than an end. Each result is given with additional context,” Hirschberg said. “Thus, removing much of the toil associated with further analysis of the results of the security scan and the user is given many cues on how to continue on the post-scan security journey.”
Kubescape covers the life cycle of applications and their updates for Kubernetes applications. This includes IDEs, CI/CD pipelines and clusters for risk analysis, security, compliance, misconfiguration scanning and image scanning. Hardening recommendations such as network policies and security policies are also available as part of open source offerings.
Integrate, Find, Fix
Kubescape is used to integrate with a checklist of the necessary tools your DevOps teams use with the platform, such as software bill of materials (SBOM), signature scanning and policy controls. It begins running its scans at the very beginning of the development cycle and extends across CI/CD and throughout the deployment and cluster management process.
It is used to find and fix misconfigurations and vulnerabilities with frameworks such as NSA-CISA, MITRE ATT&CK and the CIS Benchmark. Kubescape scans YAML files, Helm charts and clusters upon deployment. Kubescape can also be integrated with Jenkins, CircleCI, GitHub Actions, GitLab, IDEs (such as Visual Studio Code), Prometheus, Lens and Docker.
A key capability with eBPF that ARMO offers applies to vulnerability relevancy and prioritization. Relevancy and prioritization allow ARMO Platform and Kubescape users to deprioritize vulnerabilities that belong to unused software packages and components. By first deprioritizing vulnerabilities that are less critical, users can focus on addressing the ones that pose a greater threat to their running cluster.
Kubescape 3.0 new features include:
Compliance and container scan results stored as Kubernetes resources inside API objects: This makes it easier to view and manage scan results, and to integrate Kubescape with other Kubernetes tools and workflows.
Scanning container images for vulnerabilities from the CLI (command line interface): This makes it possible to shift security left by scanning images before they are deployed to production and to identify and fix vulnerabilities early on.
Reporting on the vulnerabilities of all the images in a cluster: This provides a comprehensive view of the security posture of all the images in a cluster and helps organizations prioritize remediation efforts.
A new overview security scan, which helps you set a baseline for cluster security: This scan identifies key security risks in a cluster, and helps organizations to improve their overall security posture.
Highlighting high-risk workloads, those that could do the most damage if they are compromised: This helps organizations focus their security efforts on the workloads that pose the greatest risk.
Improved display output: Kubescape 3.0 features a new and improved display output that makes it easier to read and understand scan results.
A new capability-based Helm chart: This makes it easier to install and configure Kubescape.
Per workload, per namespace and per cluster Prometheus metrics: This makes it possible to monitor the security posture of workloads, namespaces, and clusters over time.
Alerting through Prometheus Alertmanager: This makes it possible to receive alerts when security problems exceed a configurable threshold.
Sending data outside of the cluster to Kubescape providers: This makes it possible to store security information outside of the cluster it is collected from, so that it cannot be altered in the event of an attack. A documented API for operating a Kubescape-compatible service is available, in addition to native ARMO, Backstage and Lens integrations.
In the context of GitHub, a search shows that there are currently 492 open source repositories related to “Kubernetes Security” with a combined 265,449 stars, Torsten Volk, an analyst at Enterprise Management Associates, said. The chart shows Cilium, Trivy, Authelia, Teleport, Kubescape, Linkerd2 and Falco as the projects with the most stars. “KubeScape is all about baking security scanning and risk management directly into the Kubernetes cluster to make it easy for developers and DevOps engineers to prevent configuration mistakes or the use of vulnerable container images. Simplifying Kubernetes security by baking it into the Kubernetes-API and integrating it with IDEs and DevOps pipelines based on the latest and greatest best practices defined by the open source community is an exciting value proposition,” Volk said.
While KubeScape focuses on continuously optimizing the Kubernetes security posture, Cilium covers network security at the API and Kernel layer, Linkerd secures the service mesh, Falco takes care of runtime security and Authelia provides security at the authentication layer, Volk said. Trivy is the open source security platform most similar to KubeScape but focuses on image scanning, while KubeScape focuses on hardening Kubernetes clusters from the inside based on industry standards by NSA, CISA, etc., Volk said.
Version 3.1, expected by the end of the year, will introduce an in-cluster web UI. Version 4.0, expected Q2 2024, will expand Kubescape into a full Kubernetes-native application protection platform (KNAPP) by adding further runtime features.
A proper platform that uses eBPF should be able to allow DevOps teams to monitor what should be running in the Kubernetes cluster and offer actionable results when policies are violated or security threats are detected. Relying on CO-RE to optimize resources, ARMO’s enterprise version of Kubescape has been shown effective in a DevOps environment on Kubernetes. There it is used to make smarter automated decisions about security access to pods and clusters, based on its ability to both assess the potential impact of changes to an application and make more nuanced security fixes to code and policy changes. In our earlier ingress point example, Kubescape could pinpoint the specific folders that require write access and remove them from others, shrinking the attack surface rather than breaking the application.
Kubescape 3.0 also shows how tools, such as those that take advantage of eBPF security hook capabilities can be used to complement the use of AI and LLMs for Kubernetes security. “Automating access control based on hard-coded logic or AI models is and exciting and slightly scary perspective. On the one hand, there is less room for human error or generally sloppy configuration of Kubernetes cluster, but on the other hand, humans need to be able to easily understand and monitor all automated configuration workflows,” Volk said. “It is great to see Kubescape taking on this challenge as solving it will bring security that scales with application environments.”