Tests are configured in YAWL files, which makes it easy to update when specifications for tests change. It runs tests on the following things: non-root containers, immutable container filesystem, privileged containers, host PID and hostIPC privileges, host network access, allowedHostPaths field, protecting pod service account tokens, resource policies, control plane hardening, exposed dashboard, allowing privilege escalation, applications credentials in configuration files, cluster-admin binding, exec into the container, and Linux hardening. It is based on Open Policy Agent’s engine and ARMO’s posture controls. The project’s maintainers work by retrieving Kubernetes objects from an API server and running regos snippets from ARMO against them.
The results of the tests get printed in a “console friendly” manner by default, but they also can be retrieved in JSON format for further processing.
“Kubescape is an open-source project; we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops,” the maintainers of the project wrote on the project’s GitHub page.