Kubescape: A CNCF Sandbox Platform for All Kubernetes Security
Kubescape’s official acceptance this week by the Cloud Native Computing Foundation (CNCF) as a sandbox project represents the beginning stage in the journey to offer a comprehensive open source security platform for Kubernetes projects, the project’s creators from ARMO say.
According to Kubescape’s documentation, the open source Kubernetes security platform covers the gamut of the lifecycle of applications and their updates for Kubernetes applications. This includes IDE, CI/CD pipelines and clusters for risk analysis, security, compliance and misconfiguration scanning.
The key operative words are “platform” and “Kubernetes.” The platform part means that Kubescape is not just another security tool with very specific functionalities for Kubernetes among legions of alternatives. The Kubernetes part is essential because this means that the platform is for Kubernetes only.
Kubescape is used to integrate with the long checklist of the necessary tools your DevOps teams would like to add for use with the platform, such as for software-bill-of-materials (SBOM), signature scanning and policy controls. It begins running its scans at the very beginning left end of the production cycle and extends across CI/CD and throughout the deployment and cluster-management process.
Used to find and fix misconfigurations and vulnerabilities across such: frameworks as NSA-CISA, MITRE ATT&CK and the CIS Benchmark, Kubescape scans YAML files, and Helm charts and clusters upon deployment. Kubescape can also be integrated with Jenkins, CircleCI, GitHub Actions, GitLab, IDEs (i.e. Visual Studio Code) Prometheus, Lens and Docker.
“We want to be the CNCF’s open source Kubernetes security platform; that’s my vision. We want to consolidate Kubernetes security into a single platform,” CEO and co-founder of Shauli Rozen of ARMO, told The New Stack. “I really think this is something that has been missing in this space.”
The concept of an open source, CNCF-donated security platform exclusively targeted for Kubernetes is appealing. But more remains to be seen as to how this open source project is adopted, Torsten Volk, an analyst for Enterprise Management Associates (EMA), told The New Stack.
ARMO also now offers ARMO Platform, as an additional security layer on top of Kubescape. It provides what the company calls a “ready-made” security platform for Kubernetes for SaaS or on-premises deployments. It can be deployed on hosted Kubernetes platforms including Amazon’s Elastic Kubernetes Service (EKS), Microsoft’s Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Red Hat OpenShift and others.
Cogs and Wheels
Kubescape largely relies on Open Policy Agent to verify Kubernetes objects against a library of posture controls. In Kubescape’s documentation, monitoring results are printed and can also be:
- Exported to JSON or junit XML.
- Rendered to HTML or PDF.
- Submitted to a cloud service.
Meanwhile, the company plans to open source a number of proprietary features and open source Kubescape’s backend code during the coming quarters for KubeScape, Rozen told The New Stack. The features it plans to open source include widening the process of continuously monitoring the runtime elements and “making sure that they’re not being changed,” in the event of a memory attack, for example, he said.
Meanwhile, in order to win over developer, security and operation team members, Kubescape must be able to demonstrate it can seamlessly fit into their current way of working and enable all Kubernetes-related personas to benefit from security guardrails and best practices sourced from the Kubernetes community, Volk said. “This could finally give companies a leg up in the eternal race against the bad guys,” Volk said.
There are two categories of customers that Kubescape user customers typically fall under. These include large organizations that made the shift to cloud native but continue to maintain investments in other types of infrastructures outside of the Kubernetes sphere. The other end of the spectrum consists of recently created organizations that maintain “very dedicated Kubernetes environments,” Rozen said.
The all-Kubernetes organizations, mainly consisting of small- to medium-sized companies, is our sweet spot to be honest at the moment,” Rozen said.