The popular open-source platform Kubescape by ARMO has been recently announced as a fully managed operator called a Charm for Canonical’s Charmed Kubernetes distribution. This collaboration between Canonical and ARMO is exciting for the solution it enables for end users, ultimately resulting in hardened and more secure Kubernetes environments.
A need for cloud-native security
According to the Cloud Native Computing Foundation’s 2021 annual report, 79% of organisations are now utilising a certified Kubernetes platform to manage their container workloads. This growth is only set to continue as ContainerD, a key open-source technology for running containers saw a 500% increase in adoption. However, with a rapid increase in use come challenges in maintaining a strong security posture, whilst educating on misconfiguration and vulnerability mitigation.
Partnering together, Canonical’s Charmed Kubernetes and Kubescape, look to provide a first-rate Charm for individuals and organisations who want to take control of their cluster-wide security proactively. When combined together, Canonical Kubernetes and Kubecape provide a first-rate security solution for ensuring workloads are run safely.
Starting life in August 2021, Kubescape is an open-source Kubernetes and CI/CD security platform providing a multi-cloud single pane of glass for risk analysis, security compliance, RBAC visualiser, image vulnerability scanning and CICD security.
Kubescape scans K8s clusters, manifest files, code repositories, container image registries, worker nodes and API servers. It has capabilities for detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, CIS, MITRE ATT&CK and more), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time.
For those looking to adopt Kubescape at enterprise, ARMO provides an enterprise-grade solution that can offer additional features and support.
Charmed Kubernetes is a CNCF conformant distribution of Kubernetes that centres around model-driven, lifecycle-managed applications through Juju. It boasts carrier-grade hardware acceleration features and a suite of interoperable charms for CNI, CRI, CSI and CMI. Perfect for the enterprise, Charmed Kubernetes adheres to multiple security standards including CIS and as of 2023 FIPS.
Leveraging other open-source technologies maintained and curated by Canonical, Charmed Kubernetes enables users to operate independently of their public cloud, ensuring that they have access to out-of-the-box integrations but none of the vendor lock-in commonly associated with public cloud providers. When complemented with Ubuntu as the host operating system and kernel live patching, the Charmed Kubernetes story is extremely compelling for operators who want peace of mind that the infrastructure they are deploying workloads to is not only secure at installation but is continuously updated as new vulnerabilities are discovered and patched.
Common use cases
According to a recent Gartner report, by 2025 more than 99% of cloud breaches will have a root cause with customer misconfiguration. These mistakes open up opportunities for bad actors to leverage attack surfaces on systems that have not been sufficiently secured. Without any form of system hardening, this can lead to data loss, system subversion and other malicious activities.
As such, hardening systems through automated tooling has become not only a practice adopted by security professionals on occasion but a continuous activity to ensure that components are locked down as much as possible. This is amplified when combining Kubernetes and host operating systems as it comprises two levels of substrate that need their access and relationship with each other monitored and controlled.
Many organisations strive to achieve compliance standards such as SOC2 or ISO27001.
With these standards comes rigorous risk assessment and safeguard implementation that typically would apply to all levels of infrastructure. Kubernetes presents a new challenge as maturing standards not only combine controls with existing infrastructure but create new safeguards that need to be required when combining multiple systems together.
Identifying and remediating these issues is time-consuming and often a manual process, tooling such as Kubescape looks to make that journey easier by identifying controls within Kubernetes and assisting a practitioner to target and remediate those that are necessary for the compliance standard.
Installation and operation
Kubescape for Charmed Kubernetes is offered as an operator that manages a collection of in-cluster components, packaged as a Charm. To install the Charm and take advantage of all the security benefits that Kubescape brings to the table, a user would need to sign up for ARMO Cloud for Kubescape and connect the Kubescape Charm to their account in the Cloud.
First, a user should log into their ARMO Cloud account, then click on the Account icon and copy the ID. Once they have the ID copied, the next step is installing the Charm into the cluster.
To install the Charm, our user would need a working Juju CLI installation. Once Juju is set up, running, and connected to the cloud of your choice, Kubescape can be installed by running the following command:
juju add-model kubescape juju deploy --trust kubescape --config clusterName=`kubectl config current-context` --config account=<YOUR_CLOUD_ACCOUNT_ID>
This command will deploy the Kubescape Charm inside the user’s cluster, and give it the name of the current
kubectlcontext and associate the named cluster with the given account ID.
Once the Kubescape charm is up and running, it will scan the cluster, upload the results and display them on the user’s ARMO Cloud dashboard. From this point on, the user can inspect the dashboard to assess the security risk scores as calculated by supported frameworks and see risk trends over time. They can also jump into the details to review the detected security issues together with the fixes Kubescape suggests, and any software vulnerabilities that Kubescape has found in the deployed artefacts. Moreover, ARMO Cloud for Kubescape provides the ability to examine the visual representation of the cluster’s RBAC rules, so the user can detect and address authorisation misconfigurations easier.