►
From YouTube: CIS Kubernetes Benchmarks with Kubescape
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Hello,
everyone
and
thank
you
very
much
for
joining
us
today
on
the
cncf
webinar.
My
name
is
gal
and
I'm
a
product
manager
at
armo,
the
maintainer
of
cubescape,
and
today
we're
going
to
talk
about
one
of
our
latest
releases,
the
CIS
Benchmark
framework.
This
is
a
feature
which
is
a
direct
response
to
request
that
we
received
from
cubescape's
community
cubescape
can
automatically
scan
clusters
and
repositories
against
the
CIS
Benchmark.
The
center
for
Internet,
Security
and
cubescape
is
able
to
identify
compliance,
gaps,
suggest
remediations
and
we
also
monitor
for
any
drifts.
A
The
CIS
kubernetes
Benchmark
is
one
of
the
leading
Frameworks
used
for
compliance,
and
probably
one
of
the
most
comprehensive
security
Frameworks
broken
with
kubernetes,
and
this
is
why
it's
the
security
standard
for
many
organizations
and
compliance
implementations
like
sock,
2,
HEPA,
PCI,
DSS,
srg
and
nist.
Now,
let's
have
a
quick
overview
of
cubescape
for
those
of
you
who
aren't
familiar
with
it.
Yet
cubescape
is
one
of
its
kind:
end-to-end
open
source,
kubernetes
security
platform.
A
It
offers
a
managed
and
unmanaged
kubernetes
security
risk
analysis,
and
it's
doing
so
by
using
misconfiguration
scanning
of
your
yaml
files,
your
Helm
charts
on
your
local
folders
clusters,
remote
repositories,
worker
nodes
and
even
your
API
server.
Now
cubescape
is
also
able
to
detect
cves
in
your
clusters,
workloads
or
even
your
remote
image
Registries,
and
we
also
offer
an
IDE
and
third-party
apps
Integrations
to
top
it
all.
A
A
And
that's
it
it's
installed
and
can
be
operated
with
your
clusters,
and
you
can
also
use
the
cubescape
operator
to
have
your
environment
scanned
continuously
cubescape
accompanies
the
software
development
lifecycle
from
Dev
to
production
and
help
you
overcome
the
complexity
of
kubernetes
Security
cubescape
offers
built-in
Frameworks
that
are
a
collection
of
controls
that
we
test
against
your
environment
and
we
created
a
new
framework
containing
all
the
cas
Benchmark
related
controls.
So
you
can
run
it
easily
with
a
single
line
of
command
and
don't
have
to
worry
about
it.
It's
done
automatically.
A
You
can
even
create
your
own
custom
Frameworks
with
the
controls
that
you
think
fit
your
environment
best.
In
order
to
scan
your
cluster
against
the
CIS,
Benchmark
I
will
run
the
following
command,
which
is
cubescape.
Scan
I
will
mention
the
framework
which
is
CIS
and
using
the
submit
flag.
I
will
be
able
to
view
my
results
later
in
cubescape
Cloud,
which
we'll
see
in
a
minute.
A
A
Now,
let's
head
over
to
cubescape
Cloud
before
we
check
the
results
of
our
latest
scan,
I
want
to
show
you
a
little
bit
of
cubescape.
This
is
the
dashboard.
You
can
see
our
clusters
your
Trend
over
time,
the
top
five
cves
in
the
top
five
controls
that
failed
across
your
clusters,
based
on
your
latest
scan
and
it's
a
multi-cluster
environment.
So
you
can
choose
your
cluster
and
where
you
want
to
work.
The
next
thing
that
I
want
to
show
you
is
image
scanning.
A
Looking
here,
you
can
see
all
the
images
that
cubescape
found
on
my
environment.
I
can
filter
based
on
severities
or
have
it
fix
or
rce,
and
if
I
drill
down
into
one
of
those
I,
see
the
complete
list
of
all
the
cves
that
were
found
on
this
image
and
because
we
know
that
this
amount
of
cves
is
not
something
that
is
handleable.
A
We
allow
you
to
filter
the
important
ones
so
just
filter
according
to
what
has
a
fix
and
what
is
rce
the
remote
code
execution.
If
it's
an
rce
cve,
then
an
attacker
can
exploit
it
from
remote,
and
this
is
something
very
important
to
deal
with.
First,
so
after
filtering,
you
can
see
that
we
are
down
to
seven.
So
seven
cves
is
something
that
is
more
handleable
and,
of
course,
we
show
you
the
cve
name,
the
component.
A
It
was
found
on
the
version
that
component
had
the
severity,
of
course
and
again,
the
important
things
are
if
it
has
a
fix
which
version
it
was
fixed
in
and
is
it
an
RC
or
not
now,
heading
over
to
repository
scan
cubescape
is
designed
to
help
you
detect
misconfiguration
scanning.
At
any
stage
of
this,
software
development,
life
cycle
and
cubescape
can
be
integrated
with
various
devops
and
CI
tools.
A
If
you
can
look
right
here,
I
just
clicked
on
one
of
the
repositories
that
I
scanned
before
I
can
see
the
folders
and
the
file
names
in
this
repository
and
I
also
have
a
link
directly
for
there,
I
see
the
file
type
and
again,
the
most
important
thing
are.
The
controls
that
failed
on
this
repository,
so
I
can
just
click
on
one
of
them
and
get
the
full
results,
including
history,
who
made
the
commit
the
hash
and
everything
and
now
I
have
all
the
information
I
need
to
fix
this
issue.
A
We
will
be
back
in
this
view
in
just
a
minute.
Meanwhile,
let's
talk
about
the
registry
scanning.
Remember
that
we
talked
about
the
image
scanning
in
your
cluster.
The
image
registry
scanning
is
allowing
you
to
scan
your
images
on
your
on
your
Registries
private
Registries
or
public
Registries
like
Docker
IO
and
koi
IO
Registries.
Even
before
the
images
are
deployed
on
a
running
cluster
right.
You
know
the
process,
you
take
an
image,
you
add
your
own
dependencies
and
code.
You
tag
it.
A
A
A
So
you
don't
have
to
deploy
a
workload
or
even
write
a
single
line
of
yaml
file
in
order
to
get
a
list
of
potential
vulnerabilities
even
earlier
in
the
development
process,
or
you
can
even
assess
a
potential
use
risk
when
using
public
images
preventing
the
vulnerabilities
from
reaching
your
clusters,
or
in
your
deployments
or,
of
course,
your
production
environment
before
I
show
you.
The
CIS
results
that
we
just
scanned
earlier.
I
want
to
show
the
arbuck
visualizer.
A
Now
this
is
an
arbuck
visualizer
of
my
environment.
Of
my
cluster
I
can
zoom
in
zoom
out.
I
can
play
around
with
all
the
nodes
in
this
graph
and
I
can
just
ask
questions
like
use
the
the
queries.
The
the
built-in
queries
like
who
are
my
cluster
admins
or
show
me
all
the
unassigned
roles
which
are
probably
wandering
around
in
my
system
for
so
long
and
no
one
clears
them.
I
can
also
investigate,
like
let's
talk
about
the
storage
provisioner,
the
storage
version,
so
we
have
a
user
here.
A
This
is
this,
is
the
the
name
of
the
user
and
I
can
just
show
me
all
the
roles
that
this
user
is
related
to?
You
know
what
show
me
also
all
the
resources
this
user
is
related
to
and
let's
lay
out
by
type.
Oh,
that's
very
that's
very
clear
right
right
now.
This
is
very
easy
to
read
right.
You
can
see
the
user,
you
can
see
all
these
cluster
roles
and
you
can
see
all
the
resources
that
that
this
user
may
do.
A
A
And
it's
that
easy,
I
get
the
results
and
I
see
everyone
that
can
view
my
my
secrets
now
I
did
mention
the
custom
Frameworks
earlier.
So
if
we
navigate
to
the
system
page
to
the
settings
page
and
we
go
to
the
Frameworks
section,
you
can
find
you
can
find
the
pre-made
Frameworks
that
we
already
prepared
for
you,
based
on
the
NSA,
the
miter
guidelines
and
also
our
own
best
practices.
But
now
we
are
talking
about
the
CIS
Benchmark.
A
A
A
Now,
let's
head
over
to
the
configuration
scanning
page
where
we
will
be
able
to
see
the
results
of
the
scan
that
we
did
earlier
now,
I
I
mentioned
before
this
is
a
multi-cluster
environment.
So
you
get
a
full
list
of
your
clusters
and
again
it's
important
that
the
trend
over
time.
You
want
to
see
and
understand
how
your
work
impacts
the
risk
score
for
that
cluster,
so
I
will
drill
down
into
this
cluster.
A
A
You
can
see
right
here
that
the
results
are
organized
in
the
same
subsection
orders
as
the
CIS
Benchmark,
so
I
can
drill
down
into
policies,
for
instance
the
general
policies
and
just
choose
one,
and
now
you
see
the
results
you
see
the
namespace,
the
the
resource
is
connected
to,
of
course,
the
kind
and
the
name
so
I
can
just
click
on
this
wrench
and
see
the
assisted
remediation.
We
have
cubescape
offers
an
assisted
remediation
to
help.
You
understand
where
the
issue
is
what
the
issue
is
and
how
to
fix
it.
A
So
if
I
go
to
line
41,
I
just
click
here,
you
see
that,
according
to
the
CIS
benchmark,
this
line
should
be
added
to
the
ammo
file.
Now
I
can
also
share
this
issue
right
from
here
to
jira
or
slack
I
can
just
choose
the
best
devops
team
ever
and
they
get
all
the
information
they
need
in
order
to
fix
the
issue
right
to
their
slack
Channel.
A
If
we
go
back
to
the
configuration
scanning,
I
can
also
share
from
here
the
entire
list
of
resources,
and
that's
what
I
wanted
to
show
you
today
now
there's
a
lot
more
to
say
and
show
about
cubescape,
so
I
encourage
you
to
try
it
out,
see
how
easy
it
is
to
scan
to
fix
to
make
your
environment
compliant.
You
can
join
our
communities
on
GitHub
on
Discord
channels
and
be
part
of
cubescape.