Kubernetes vulnerability scanning, a critical part of Kubernetes security, allows you to identify security gaps in a Kubernetes cluster and apply fixes. The remediation process might require updating container images, Kubernetes configurations, and workloads deployed in Kubernetes.
Various tools can scan open source components and container images to detect security vulnerabilities, helping you determine whether your Kubernetes configuration aligns with compliance and operational needs.
In this article:
The popularity of Kubernetes has made it the main framework for deploying applications and services in a cloud environment. Kubernetes vulnerabilities are thus an attractive target for attackers, so it is essential to monitor and identify malicious activity that seeks to exploit an exposed application or service.
Organizations must use continuous monitoring and scanning tools to identify security threats, configuration issues, and intrusions across all Kubernetes clusters. A container image is the core building block of a Kubernetes workload, but many organizations use insufficiently secure container images.
Various tools can help secure images at the build and runtime stages, including image scanners, policy enforcement, package and dependency scanners, and image inspection tools to detect vulnerabilities, malware, and unsafe configurations (e.g., plain text encryption keys or passwords).
Related content: Read our guide to Kubernetes vulnerabilities
Manual scanning is possible, but it is a highly time-consuming and inefficient technique for complex Kubernetes projects. You can automate scans to ensure regular, consistent scanning across all container images. Automation keeps the deployment process fast and agile, allowing you to introduce functionality easily.
You should implement Kubernetes vulnerability scanning at every stage of an application image’s lifecycle:
First, you should execute vulnerability scans as part of the build process. Like tests, you can run scans as steps in the development pipeline—if the system discovers a vulnerability, the build fails. The system does not store the vulnerable container image in the registry, eliminating the chance of the image vulnerability reaching production.
Security analysts constantly discover vulnerabilities in established software packages—some vulnerabilities will only become apparent after the build is complete. Most image registries allow you to regularly scan the stored images, usually using a built-in image scanner. This feature is easy to use—you flick a switch and view the image scan’s report in your console.
Next, you should automate image vulnerability scans before deploying each image. Kubernetes offers a convenient scanning approach by calling admission webhooks when you deploy new workloads. Solutions such as Open Policy Agent can determine if pods are ready to deploy. Alternatively, you can use a Lambda function to implement a webhook to validate pods based on your defined policies. Commercial policy management solutions are also available to ensure pods are safe before deployment.
Once an image passes all checks during the build, registry scanning, and deployment stages, it can run in the production environment. However, there are still opportunities for detecting vulnerabilities in a running workload. You can integrate vulnerability scanners and other security tools into your Kubernetes workflow to provide security insights via a unified interface.
Related content: Read our guide to Kubernetes security best practices
License: MIT License
Repo: https://github.com/zegl/kube-score
kube-score is a tool that performs static code analysis of Kubernetes definitions. It checks definitions against various security controls, letting you enable or disable controls as needed. This type of scanning is non-intrusive and considered harmless.
Another key advantage of kube-score is its emphasis on providing human-readable error messages that include helpful instructions for remediation to help improve security and reliability.
kube-score includes a free, web-based user interface (UI) for testing object definitions. You can use it by pasting a definition JSON or YAML file at kube-score.com to get a quick analysis.
License: MIT License
Repo: https://github.com/Shopify/kubeaudit
kubeaudit is an open-source cluster auditing tool developed by Shopify. This command-line-based tool validates Kubernetes clusters by checking for security misconfigurations and practices against various predefined controls.
kubeaudit is written in Go. You can easily install it on local machines using a single command. It offers various modes for auditing, including local, cluster, and manifest. This tool provides rich functionality to help resolve resource misconfigurations and test Kubernetes clusters’ security.
You can use kubeaudit to implement auditing for pods, containers, and namespaces using various built-in auditors or tests that assess these components. After this analysis, the tool suggests practices for container contexts like privilege escalation, insecure default configurations, read access to root file systems, and running applications as root.
The tool covers these contexts through a list of tests. All tests are documented, explained, and filterable at various security levels. It marks audit results with different severity levels, including error and warning, and provides information to help prioritize issues requiring immediate mitigation.
License: MIT License
Repo: https://github.com/octarinesec/kube-scan
Kube-Scan is a Kubernetes risk assessment tool by Octarine. It can scan Kubernetes clusters, providing a simple number that indicates a risk level for each workload—0 for low risk and 10 for high risk. When assessing risk, Kube-Scan considers availability, integrity, and confidentiality. You can run the tool from the command line. It also generates a UI to display its findings.
Kube-Scan works similarly to other vulnerability scanners, using recommended guidelines to determine a risk factor. It uses the Kubernetes Common Configuration Scoring System (KCCSS) framework, which focuses on security settings and configurations. You can expand the KCCSS list with your own rules.
License: Apache License 2.0
Repo: https://github.com/controlplaneio/kubesec
Kubesec is a risk analysis tool for Kubernetes provided under an open source license. It scans manifest configurations and validates them against predefined security criteria. Kubesec can find misconfigurations in pods or deployments. Once it detects issues, it assigns a risk score to align these issues with security best practices.
You can easily install Kubesec using kubectl, an admission controller, or a container image. The tool uses an open source control plane that runs the tool as a service over HTTPS. It can scan several YAML manifest configurations, including pods, resources, and deployments in one input, assessing them for various risks, such as privilege escalation and running containers as root. It assigns each vulnerability a severity score to help mitigate threats quickly.
Calico’s active security platform protects containers and Kubernetes during build, deploy and runtime with image scanning, vulnerability reporting, and automatic container deployment through admission policies. Using Calico, platform operators can:
Calico Image Assurance delivers a comprehensive list of the CVEs associated with images and prioritizes risks based on a customizable CVSS score. Calico Cloud allows users to create admission policies to allow, block or add exceptions for vulnerable images during the build pipeline. The runtime view of workload vulnerabilities provided by Calico helps developers patch and fix issues early in the CI/CD pipeline. This enables teams to effectively reduce the attack surface early in the application development process and improve the overall security posture of the application.
Next steps:
Get updates on blog posts, workshops, certification programs, new releases, and more!
