Have you jumped on the Kubernetes bandwagon for deploying cloud-native applications? If so, I commend you – over 84% of organizations now leverage containers and Kubernetes for production applications.
However, while Kubernetes simplifies scalable deployments, it also creates ample room for security misconfigurations putting data and reliability at risk:
- Overly permissive pod privileges
- Unpatched container base images
- Secret exposure
- Weak network policies
These gaps frequently cause preventable security incidents. Just last year, an misconfigured Kubernetes dashboard led to the breach of personal data for 5 million+ users!
So how do we prevent similar failures among our own clusters? That‘s where Kubernetes vulnerability scanners come in…
Why You Need Ongoing Vulnerability Scans
Kubernetes environments are complex and dynamic, with containers, nodes, ingresses and more spinning up and down continuously. This fluidity makes it nearly impossible to manually track security.
That‘s why leading experts recommend automated scanning to proactively surface risks across Kubernetes deployments.
"Scanning at regular intervals is essential for securing Kubernetes clusters from issues like vulnerabilities in container images, overly permissive policies, and configuration errors across Kubernetes APIs." – Asra Ali, Director DevSecOps, Optum
Ongoing scans provide operational and security teams:
Faster identification of missteps: Instead of waiting for yearly audits, catch oversights early
Fix guidance: Scanner tools provide specific advice to resolve flagged vulnerabilities and gaps
Improved reliability: Discover risks that could cause future outages or denial-of-service
Regulatory readiness: Maintain audit trails showing compliance best practices are met
Clearly, Kubernetes scanning is now a must-have rather than nice-to-have.
Choosing a Kubernetes Vulnerability Scanner
The good news is numerous capable open source scanners are now available to secure Kubernetes environments.
When selecting tools, keep the following criteria in mind:
- Breadth of coverage – scans containers, hosts, policies, IaC code, etc
- Ease of deployment – ideally runs as a container
- Customizability – tuning scan types, frequencies, etc
- Reporting – integration with SIEMs, detail on risks
- Remediation guidance – specific fixes along with findings
Let‘s explore the top open source scanner options available based on these criteria:
![table]
Scanner | Discovery Capabilities | Ease of Use | Customizable Rules | Reporting Features | Remediation Guidance |
---|---|---|---|---|---|
Trivy | Images, IaC configs, Kubernetes | Installed via helm chart | Custom ignore rules | Interactive CLI output | Links to upgrade guides per vulnerability |
Kube Bench | Kubernetes controls validation | Configure with yaml file | Extendable yaml tests | JSON output | Fixes provided for failed controls |
Checkov | IaC configs across 20+ languages | Standalone or IDE plugin | Limited custom policies | JUnit XML, JSON, GitHub PR feedback | Links to docs for resolution |
MKIT | Kubernetes configs and security risks | Installed via Ansible | Limited customization | Web UI dashboard | General remediation tips |
Kubei | Containers, images, hosts, network | Helm chart installation | Highly configurable scan options | Web UI with cluster health visibility | Specific mitigation steps |
Kube Scan | Running Kubernetes workloads | Runs as pod inside clusters | Limited configuration | Web UI with risk scoring | Provides control validation links |
Kubeaudit | Live clusters or configuration files | Standalone binary or container | Custom auditors extend capability | Text-based output with risk levels | General remediation best practices |
Kubesec | Kubernetes YAML configuration risks | Standalone or kubectl plugin | Limited options | Interactive or JSON output | Provides related security practice links |
This mix of open source tools provides scanning to meet varying Kubernetes security needs. Let‘s explore them each further…
Trivy – Extensive Coverage Across Images, Configs and Clusters
Trivy delivers expansive vulnerability scanning for containers, Kubernetes, cloud infrastructure and policy configs by Aqua Security. With over 70 million downloads, it‘s arguably the most popular open source Kubernetes scanner.
It‘s lightning fast scanner is built using Go and supports many languages/frameworks out the box including:
- Ubuntu/Debian
- RHEL/CentOS
- Java/Maven
- Python
- JavaScript/Node.js
Highlights:
- Scans OS packages, libraries, container images, git repositories, Kubernetes manifests, cloud infrastructure config files
- Easy YAML configuration for rule customization
- Ideal for integration into CI/CD pipeline security checks
- Detailed CLI output with links to upgrade guidance per finding
For Kubernetes deployments specifically, Trivy discovers risks like:
- Vulnerable pod container images
- Overly permissive pod and service privileges
- Unpatched hosts running clusters and nodes
Use Trivy when you need expansive scanning across Kubernetes and the supporting infrastructure / software supply chain powering clusters.
Kube Bench – Audits Cluster Configurations Against CIS Controls
Kube Bench focuses specifically on testing Kubernetes configurations against best practice security controls defined by the Center for Internet Security.
It runs a battery of over 100 auditing tests covering items like:
- Role based access control limits
- Unsecured pod dashboards
- Proper host path bindings
- Authorization for API Access
These map to official CIS benchmark controls derived from industry consensus best practices.
Highlights:
- Covers multiple versions of Kubernetes
- Tests master nodes and worker nodes
- Configuration via YAML makes tests adaptable
- JSON output integrates into SIEM tools
- Fixes provided along with warnings
Use Kube Bench when benchmarking clusters against CIS standards for security and compliance requirements.
Checkov – Prevent Cloud Misconfigurations Early
Checkov inspects infrastructure-as-code templates and config files to catch security risks before provisioning. This helps developers and infrastructure teams fix insecure configs pre-deployment.
It scanning works across Terraform, CloudFormation, Kubernetes, Serverless, ARM Templates and more. Rules are based on standards like CIS Benchmarks, AWS Best Practices, CWE, and PCI DSS.
Under the covers, Checkov leverages Python to statically scan configs for over 500+ misconfiguration detection policies across cloud providers.
When run against Kubernetes deployments, Checkov uncovers risks like:
- Overly privileged containers
- Dangerous host path mounts
- Unrestricted network access
It surfaces these in CI/CD pipeline scan results, CLI output, or directly in the IDE while authors craft Kubernetes configs.
Highlights:
- 500+ built-in misconfiguration detection policies
- Scans Infrastructure-as-Code configs pre-deployment
- Integrates into CI/CD tooling
- Covers 20+ languages commonly used for IaC
Use Checkov early in the development pipeline for scanning Kubernetes configs and related infrastructure policies.
MKIT – Assess Managed Kubernetes Clusters
The Managed Kubernetes Inspection Tool (MKIT) helps users assess production-readiness and security of managed Kubernetes offerings like:
- Amazon Elastic Kubernetes Service (EKS)
- Azure Kubernetes Service (AKS)
- Google Kubernetes Engine (GKE)
It runs entirely without external network calls for air-gapped use. Scans focus on cluster configurations rather than containers or images.
MKIT flags issues like:
- Overly open network policies
- Unrestricted user access
- Related control plane services missteps
Highlights:
- Supports EKS, AKS and GKE managed Kubernetes
- Built on open source runtime security tools
- Web UI showing security warnings
- No external network connections
Use MKIT when wanting an easy assessment of managed Kubernetes cluster security postures, especially for Internet isolated environments.
Kubei – Continuous Runtime Cluster Security
While many tools above focus just on auditing, Kubei provides continuous runtime security covering workloads, network traffic, and user behavior analytics.
It instruments enviroments to monitor activity combined with agentless scans. Risks are surfaced through an intuitive web UI showing cluster health.
Core capabilities span:
- Runtime behavior anomaly detection
- Kubernetes auditing
- Continuous configuration checks
- Cluster integrity monitoring
This combination uncovers threats like:
- Malicious internal users/compromised accounts
- Data exfiltration attempts
- Container privilege escalations
Highlights:
- Scans containers, images, hosts, network configs
- Real-time visibility into cluster security posture
- Customizable risk scoring settings
- Backed by experts at PortShift
Enable Kubei when desiring robust runtime security visibility into Kubernetes behavior, integrity and compliance.
Kube Scan – Risk Ratings for Container Workloads
While many tools provide pass/fail assessment, Kube Scan goes further by applying risk scoring and ratings.
It draws on the KCCSS framework – the Kubernetes Common Configuration Scoring System:
![KCCSS Overview]
This covers 30+ configuration best practices and ranks severity on a scale of 1-10. Higher scores indicate deployments pose greater risk.
Kube Scan installs via helm chart and runs daily scans, providing:
- Risk scoring visibility per workload
- Historical trends across environments
- Failed control details
- Recommendations for hardening
Highlights:
- Quantifies security risks with scoring 1-10
- Web UI with details on ratings
- Daily automated rescans
- Open source standard for K8s risks
Use Kube Scan when desiring visibility into security posture via risk scoring rather than just passed/failed checks.
Kubeaudit – Auditing Against Security Best Practices
Kubeaudit serves a similar function as Kube Bench but with a few differentiators:
- Applies opinions – goes beyond just standards validation
- Audits live clusters in addition to configs
- Additional auditors can be added
- 3 severity levels for findings
It runs either as a container inside clusters or a standalone binary. Auditing tests span:
- General security hygiene
- Network segmentation risks
- Overly open access
Kubeaudit is ideal for confirmation that proper security best practices are followed before deployment.
Highlights:
- Checks clusters or just configurations
- Extensible custom auditors
- 3 severity levels for findings
- Focused on RBAC and PSPs
Use Kubeaudit when strong opinions and custom tests around security best practices are needed.
Kubesec – YAML Config Security Validation
Kubesec analyzes Kubernetes YAML files such as deployments to uncover misconfigurations before rollout. This prevents developers from introducing preventable risks early.
It functions either as a standalone service or integrates into CI pipelines and Kubernetes directly via admission controller webhooks.
Policies scan for over 50 security risks including:
- Privilege escalations
- Sensitive mount exploits
- Unrestricted network access
Kubesec stands outs with its lightweight yet powerful YAML scanning capabilities.
Highlights:
- Scans Kubernetes YAML configs pre-deployment
- Covers pod security, network policies and more
- Standalone, CI/CD or admission controller use
- Developed by leading expert Liz Rice
Use Kubesec to shift security left by scanning YAML policies early before production rollout.
Enabling Comprehensive Kubernetes Security Scanning
This overview outlines the top open source vulnerability scanners purpose-built for securing Kubernetes environments. Each brings unique capabilities spanning:
- Configuration validation
- Runtime security monitoring
- Risk quantification
- Remediation guidance
However, while scanning tools provide invaluable automated assessment, technology alone is insufficient – you must incorporate them properly into lifecycle workflows.
Here are 3 best practices that leading organizations use to maximize scanner value:
1. Multi-Target Scanning – Scan containers AND infrastructure as code AND cloud configs together rather than just Kubernetes in isolation. This provides contextual risk insights.
2. Risk Prioritization – Use scanning tools that quantify and score risks to focus remediation on the vulnerabilities likliest to be exploited.
3. Broad Integration – Embed scanning from build through runtime production monitoring for continual assessments and policy enforcement.
I hope this breakdown has been helpful in determining how to integrate world class open source scanning capabilities into your Kubernetes security strategy.
What approaches have you found most effective? I welcome you to share your experiences and own lessons learned!