Kubescape is a tool for testing if Kubernetes is deployed securely. It uses the Kubernetes Hardening Guidance released by the NSA and CISA to do this.
Tests are configured in YAWL files, which makes it easy to update when specifications for tests change.
It runs tests on the following things: non-root containers, immutable container filesystem, privileged containers, hostPID and hostIPC privileges, hostNetwork access, allowedHostPaths field, protecting pod service account tokens, resource policies, control plane hardening, exposed dashboard, allow privilege escalation, applications credentials in configuration files, cluster-admin binding, exec into container, and Linux hardening.
It is based on Open Policy Agent’s engine and ARMO’s posture controls. According to the project’s maintainers, it works by retrieving Kubernetes objects from an API server and running regos snippets from ARMO against them.
The results of the tests get printed in a “console friendly” manner by default, but they also can be retrieved in JSON format for further processing.
“Kubescape is an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops,” the maintainers of the project wrote on the project’s GitHub page.