Kubesec by Control Plane for Kubernetes Static Analysis

Kubesec is a tool that is used to scan your static workloads to give you improvements that can be made to harden your existing workloads and make you aware of the findings are one step in increasing your security posture.

So for this example we will be consuming this resource through the HTTPS method had a few issues in the background running the binary on my WSL integration portion.

So if we can see here we are declaring the yaml file pulling from the repository of gcr.io sample image, we will scan this and see the output with the following command

curl -sSX POST --data-binary @"deployment.yaml" https://v2.kubesec.io/scan

Our output should look something like this format

So what does all this JSON output mean? Well this is to inform you on a numerical score of if the workload is ready to be deployed securely. As we can see this deployment.yaml file as shown above isn’t in the best shape with a score of -7.

What is critical that we should focus on?

So for this I did input the following to allow privilege escalation to true this should always be set to false, this makes up the majority of the score hurting us for this specific yaml file.

Additionally we move into the “advise” section

As we can see this annotates the specific reason along with the json path mentioned to assist us in deciding what to do with this information.

To get more additional information in a readable format outside of JSON I refer back to the following url

https://kubesec.io/basics/containers-securitycontext-privileged-true/

Control plane provides documentation on the notes of the process and the reason along with supporting documentation on how to remediate the finding.

kubesec.io directory

To test the correction of changing the privilege escalation i’ll go back to the YAML file in my editor and correct it to false.

After rerunning the scan after we change this value we can see our score changes as the input shows below. Of course we still have the advise on CPU memory, utilizing a Service Account (Least Privileged), and a few others notable throughout this output.

So how does this fit into your cloud native security? Effectively guard rails that stop your deployments from being in production with elevated privileges or misconfigurations is a step in securing the supply chain and ensuring you have policies in place.

The cloud native ecosystem is large and this is one set of tools from controlplane.io that provides as open-source in the next posts I will explore more on this subject but to make you aware of how security is used with workloads.