Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan

Armo Releases Kubescape K8s Security Testing Tool: Q&A with VP Jonathan Kaftzan

This item in japanese


Armo announced the release of Kubescape last month, a tool for testing if a Kubernetes environment is secure according to the Kubernetes hardening guidance published by the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA).

Kubescape helps engineers assess the security posture of a Kubernetes environment by looking at non-root containers, privileged containers, hostNetwork access, anonymous requests, and more.

The results of the scan are presented in a command-line table or JSON format, showing the different areas of misconfigurations that might be exploited.


Courtesy of Armo

InfoQ interviewed Jonathan Kaftzan, VP of marketing at Armo. He stated that the team at Armo has been developing solutions for Kubernetes for quite some time, and when the technical report was published they saw straight away that the proposed approach was similar to the best practices Armo has been offering.

InfoQ: Why did you decide to release Kubescape and contribute it to the community?

Jonathan Kaftzan: We have decided to release part of our technology under an open-source license and contribute it to the community as an out of the box, easy to deploy, and configure tool that will carry out the Kubernetes hardening guidance posture validation, allow the community to evolve, develop its controls, and contribute their knowledge. The report is great because it offers practical guidance to administrators to manage Kubernetes securely by focusing on the common source of a compromised environment.

InfoQ: Are there any plans to support different tests?

Kaftzan: Yes. We keep adding and enhancing Kubescape all the time. Since it's an open-source project, everyone can contribute and add to it. We get so many ideas and suggestions from the community and we are very happy about that.

Since we launched Kubescape we have already added some significant new features and capabilities including the ability to:

  • Scan YAML files and HELM charts directly without having a cluster. Now, engineers can scan misconfigurations as soon as they commit their Kubernetes manifest files
  • Test if a Kubernetes cluster is exposed to particularly high severity vulnerabilities
  • View history of scans and risk trends via a GUI

We are planning to add more security frameworks as well in the future so it won’t be only based on the NSA & CIS guidance. The user will be able to decide which security framework he or she wants to use for testing.

At KubeCon next month, we are going to make an announcement about it. Also, We are going to enable users to define and build their framework based on their own needs and requirements.

InfoQ: How easily can Kubescape be integrated into CI/CD pipelines?

Kaftzan: Very easy. Users can integrate Kubescape into DevOps tools like Jenkins, CricleCI, and Github workflows. We intend to make Kubescape an integral part of the CI/CD pipeline to make sure DevOps and Kubernetes engineers build and operate secure environments.

InfoQ: Can you talk about the plans for Kubescape?

Kaftzan: We want to add more features like finding weak secrets and hope to see Kubescape become a widely used tool by DevOps and Kubernetes engineers. We hope the community will help us develop it and make it better and more robust over time.

Kubescape fetches the Kubernetes objects (deployments, services,...etc) from the Kubernetes API Server and scans them using the Open Policy Agent (OPA) against a predefined set of policies developed by Armo and written in Rego, the policy language for OPA.

More info on the Kubescape release can be found on the project’s GitHub webpage.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p