►
From YouTube: Kubescape roadmap
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
A
A
Looking
at
what
risks
people
are
most
worried
about,
the
highest
number
were
people
worried
about
misconfigurations
or
exposures
in
their
environment,
followed
by
vulnerabilities
and
only
then
actual
outside
attacks
that
tracks
to
what
people
have
actually
seen
in
the
last
12
months,
Red
Hat
survey
says
that
53
percent
of
its
respondents
had
detected
a
misconfiguration
in
their
environment.
The
course
of
security
law
38
had
a
major
vulnerability
that
they
needed
to
remediate.
A
A
A
Citing
some
foundational
research
in
the
industry,
the
tag
security
white
paper
says
that
85
percent
of
defects
are
introduced
during
coding,
with
a
cost
of
41
to
fix
at
that
point,
compared
to
a
post-release
fixed
cost
of
26
542
dollars.
Let's
try
and
catch
those
vulnerabilities
early
shall
we
so
hopefully
I've
scary-numbered
you
into
thinking
that
you
need
to
do
something.
How
should
we
think
about
security
for
kubernetes?
A
Well,
we
turn
to
the
documentation
and
it
talks
about
four
C's.
We
need
to
consider
code,
container,
cluster
and
cloud
or
co-location
provided
or
Central
it
team,
if
you
like,
these,
all
build
on
top
of
each
other
in
a
very
specific
fashion.
If
your
cloud
is
compromised,
there's
no
amount
of
security.
You
can
add
to
your
code
to
help
protect.
You.
Clouds
have
many
more
services
and
concerns
than
just
the
ones
of
a
kubernetes
environment.
A
So
for
now
we
simply
have
to
accept
part
of
the
shared
responsibility
model
and
say
we
have
trust
in
our
vendor.
But
the
cloud
vendor
doesn't
know
what
you're
running.
Unless
you
install
some
sort
of
agent
to
tell
it,
and
in
general
they
don't
want
to
be
responsible
for
what
you
are
running
or
how
you
have
configured
it.
A
Let's
then
look
at
code
there
have
been
books
written
on
how
to
write
good
code.
There's
a
sea
change
happening
in
the
industry
at
the
moment
in
terms
of
memory
safe
languages,
which
I
will
glibly
summarize
as
rewrite
it
in
Rust,
But,
ultimately,
you're
going
to
have
to
do
your
own
work
to
make
sure
your
software
is
secure.
A
What,
then,
is
the
software
supply
chain?
Well
I
like
to
think
about?
It
is
the
gaps
between
the
boxes,
specifically
by
what
process
is
code
taken
and
made
into
a
container
or
by
what
process
are
containers
taken
and
instantiated
to
run
on
the
cluster
and
we'll
look
at
that
a
little
bit
more
later,
so
back
to
our
four
C's,
we
are
predominantly
concerned
about
the
container
and
the
cluster,
what
we're
going
to
run
and
how
we
are
going
to
run
it.
A
What
we're
going
to
run
is
reasonably
self-explanatory.
Code
has
dependencies,
those
dependencies
have
occasional
vulnerabilities.
Those
are
documented
on
the
common
vulnerabilities
and
exposures
list,
cve,
with
coordinated
disclosure
being
performed,
how
we're
going
to
run
it
relates
to
the
thing
people
are.
Scared
of
kubernetes
is
basically
its
own
operating
system,
with
many
different
options
to
trip
you
up.
The
thing
that
makes
kubernetes
different
to
a
pairs
is
the
fact
that
you
must,
or
at
least
can
make
all
the
decisions
yourself,
what
sort
of
storage,
what
network
configuration,
what
permissions,
etc,
etc.
A
You
submit
these
in
the
Manifest
synonymous
with
its
data
format,
yaml,
and
then
you
hope
you
didn't
make
a
mistake.
Our
first
move
needs
to
be
to
put
in
some
guard
rails
to
stop
people
making
mistakes.
This
is
a
quote
from
the
tag
security,
Cloud
native
white
paper,
saying
it
is
vital
to
scan
application,
manifests
in
the
deployment
pipeline
to
identify
things
that
could
potentially
result
in
an
insecure
deployment
posture.
A
A
You
can't
just
compare
everything
against
the
checklist
and
say:
I
am
secure
or
I
am
not,
but
that
doesn't
mean
that
such
checklists
aren't
helpful.
The
good
news
is
that
there
are
a
number
of
government
agencies
and
non-profits
that
have
developed
benchmarks
or
Frameworks,
which
you
can
measure
yourself
against.
You
can
use
these
Frameworks
in
a
couple
of
different
ways.
A
As
sets
of
tests,
you
might
want
to
run
against
a
cluster
to
check
you
have
a
good
security
posture
or
to
validate
to
some
external
compliance
team
that
you
are
running
your
infrastructure
in
an
acceptable
way.
None
of
them
are
law
but
they're.
A
good
Baseline
take,
for
example,
the
kubernetes
hardening
guidance
developed
by
the
United
States,
NSA
and
cisa
in
2021.
A
It
introduces
a
threat
model
talking
about
three
possible
sources
of
compromise
supply
chain
risks,
malicious
threat,
actors
and
Insider
threats.
It
then
spells
out
things
that
you
should
be
doing
as
mitigations
to
those
common
threads.
Some
are
configuration
knobs
that
should
be
set
in
a
certain
way.
Some
are
best
practices
for
the
configuration
of
workloads
and
some
are
cluster
settings
that
will
allow
you
to
limit
attack
surfaces
and
help
diagnose
the
problem
if
you
ever
are
intact.
A
The
first
way
that
most
people
interact
with
cubescape
is
through
the
command
line,
tool
of
the
same
name
that
takes
his
input.
The
control
Library,
which
it
will
download
to
make
sure,
is
most
up
to
date
when
it
runs
and
it
can
be
run
against
yaml
files.
Helm
charts,
a
running
kubernetes
cluster
or
a
git
repository
that
contains
manifests
output
can
either
be
directly
to
the
terminal
in
useful
formats
like
XML
or
Json
locally,
or
submitted
to
a
back-end
service.
A
There
we
go
that's
as
easy
as
that:
you'll
notice
that
there
were
some
things
that
we
were
unable
to
scan
here,
because
we
did
not
install
the
host
scanner.
There
are
some
things
we
can't
get
from
the
kubernetes
API
server.
We
actually
need
to
run
an
agent
on
the
host
to
query
some
of
the
state
of
the
machines
so
to
install
that
we
simply
run
with
dash
dash
enable
post
scan.
A
A
Previously
we
had
some
vulnerabilities,
which
would
have
been
critical
had
they
failed
and
wasn't
able
to
check
those
with
the
host
scanner
installed.
It
is
able
to
say
that
everything's,
okay
and
those
are
no
longer
a
concerned
here
on
the
screen.
You
can
see
the
URL
to
copy
and
paste
to
view
this
data
on
the
ammo
platform.
A
Armo
platform
is
a
hosted
version
of
cubescape's
cloud
components
which
allow
you
to
not
only
view
your
security
information
but
Define
your
Frameworks
and
policies,
Define
exceptions
and
configurations
for
them
and
make
them
available
to
cubescape
wherever
it's
being
run.
Ammo
platform
is
a
SAS
service
available
for
free
up
to
10
worker
nodes
and
with
plans
available
beyond
that,
we
intend
to
open
source
this
and
have
it
be
available
as
the
cubescape
cloud
backend
for
everybody
later
this
year.
A
Let's
have
a
look
in
our
cluster
now
scan
results.
Uploaded
here
are
visible,
showing
us
all
of
the
same
controls
and
information
we
saw
previously,
but
also
allowing
us
to
easily
view
the
parts
that
need
remediating
the
severity
of
them
and
understand
which
ones
we
need
to
address
first
and
the
fixes
required.
A
A
They
are
part
of
the
docker
desktop
setup
that
we're
running,
but
they
are
not
correctly
configured
as
far
as
the
framework
is
concerned,
clicking
the
spanner
allows
me
to
open
the
remediation
view
where
I'm
able
to
see
the
definition
of
the
kubernetes
objects
also
see
the
places
where
it
suggests.
I
need
to
perform
a
remediation
in
this
case
here,
I
would
need
to
set
a
limit
for
CPU
in
memory
for
this
particular
pod.
A
A
Most
users
will
want
to
run
cubescape
in
their
cluster
so
that
it
is
continuously
scanned
and
security
posture
information
can
be
uploaded
to
cubescape
Cloud.
To
do
that,
you
install
a
Helm
chart
with
the
add
cluster
button.
Here
you
can
see
the
information
that's
required.
You
simply
install
the
cubescape
helm,
chart
and
configure
it
with
your
account
identity
in
order
to
connect
the
two
together
in
this
case,
you'll,
see
that
we
have
a
cluster
here
named
Docker
desktop
that
meant.
A
However,
you
have
the
helm
components
installed
in
your
cluster.
Having
them
gives
you
access
to
cubescape's
vulnerability
scanner,
it
will
scan
all
the
containers
that
are
deployed
in
your
cluster
and
upload
their
cve
data
to
the
cubescape
backend,
where
you
can
visualize
it.
We
can
see
vulnerabilities
over
time,
excluding
of
course,
that
this
is
a
Docker
desktop
cluster
and
it
gets
turned
off
occasionally,
and
you
can
also
see
vulnerabilities
broken
down
by
their
criticality,
whether
or
not
they're
a
remote
code
execution
vulnerability
and
whether
or
not
there
is
a
fix
available
for
them.
A
Let's
have
a
look,
for
example,
at
one
of
our
critical
vulnerabilities,
the
recommendation
service.
There
are
two
critical
vulnerabilities
here,
but
only
one
of
them
shows
up
as
having
a
fix.
So
if
we
remove
the
filter
here,
it
will
see
both
of
these,
and
we
can
also
use
cubescape's
exception
or
ignore
rules
feature
whereby
we
say
we've
looked
at
this
particular
vulnerability.
We
know
it
doesn't
apply
to
us
and
we
don't
want
to
be
notified
about
it
again.
A
A
Here's
something
new
we're
working
on
to
help
people
understand
which
vulnerabilities
matter
and
which
are
just
noise
sniffer,
is
a
POC
project
which
will
filter
out
irrelevant
vulnerabilities
from
cubescape
scan
results.
What
we
do
is
watch
what
a
container
actually
does
for
a
short
period
of
time
when
it
starts
up,
and
then
from
that
point
we
can
evaluate
whether
the
files
on
the
disk
that
it
doesn't
touch
are
likely
to
be
relevant.
A
We
can't
rule
them
out
completely,
of
course,
but
we
can
say
in
this
case
of
the
76
potential
vulnerabilities
here
are
the
12
that
are
actually
in
code
that
the
container
used
while
we're
observing
it.
The
evaluation
is
done
with
ebpf
we're
currently
experimenting
with
engines
like
Falco
and
psyllium,
and
we're
looking
forward
to
bringing
this
to
be
part
of
the
cubescape
product
very
soon.
A
And
here
we
go,
it
has
provided
a
Remediation
in
the
case
that
there
are
more
than
four
replicas
reduce
the
number
of
replicas
to
four
or
less.
It
has
provided
the
Rego
code
snippet,
which
will
test
and
then
fail
in
the
event
that
replicas
are
more
than
four,
and
now
we
can
download
this
control
file.
A
A
There
you
can
see
the
resource
has
indeed
failed
and
we
are
100
at
risk.
Something
else
you
may
notice
here
is
that
there
is
integration
with
cubescape
in
Visual
Studio
code,
for
example.
We
can
look
here
at
the
image
flag
and
it
says
that
there
is
a
control.
Indeed,
a
CIS
control,
which
says
minimize
container
Registries
to
those
who
are
approved.
A
Here's
something
else
that
we're
cooking
up
in
cubescape
Labs
at
the
moment,
support
for
a
new
kubernetes
feature
today
to
do
admission,
control
and
kubernetes.
You
have
to
run
an
external
webhook
that
now
becomes
part
of
the
infrastructure
that
you
must
operate,
maintain
upgrade
Etc.
If
your
web
Hook
is
down
the
control,
plane
is
unavailable
either
by
way
of
allowing
anything
to
be
admitted
which
is
insecure
or
allowing
nothing
to
be
admitted.
A
Here
is
a
rule,
that's
quite
similar
to
one
we
looked
at
before.
Let's
say
we
don't
want
to
have
more
than
five
replicas
in
a
particular
deployment.
We
can
Define
that
in
the
Cel
and
upload
it
to
the
cluster
as
a
validating
admission
policy,
we've
converted
a
number
of
our
existing
controls
to
Cel
so
that
you
can
use
them
with
the
validating
admission
controller
feature.
A
These
are
scans
that
you
would
currently
do
on
your
cluster
to
see
if
you
have
insecure
objects
and
you'll
now
be
able
to
use
them
to
actually
stop
insecure
objects
being
deployed
to
your
cluster.
We
look
forward
to
working
with
the
kubernetes
team
on
bringing
this
feature
through
to
availability.
Later
in
the
year
last
December
we
were
accepted
into
the
cncf
sandbox
as
the
First
Security
and
compliance
scanning
project.
A
We're
in
some
pretty
esteemed
company
when
it
comes
to
security
tooling,
but
all
the
other
vendors
seem
to
want
to
have
a
proprietary
platform
for
security.
Perhaps
with
some
open
source
cluster
tooling,
we
want
to
be
open
source
end
to
end,
which
is
why
I
joined
ammo.
We
have
to
separate
out
a
bunch
of
the
cubescape
backend
from
other
ammo
codes
and
Integrations.
We
use
and
build
a
version
that
you
can
install
in
your
own
cluster
and
in
a
few
months
time
we
will
have
fulfilled
our
promise.
A
A
We
mentioned
software
supply
chain
before
the
cubescape
team
wants
to
help
users
make
sure
they
are
using
the
right
container
images
in
their
environments.
So
we
released
the
capability
to
verify
container
image
signatures.
We
can
now
verify
against
a
list
of
trusted
public
Keys.
As
with
any
other
configurable
control.
We
have
two
separate
controls.
One
for
testing:
if
an
image
has
a
signature
and
one
for
actually
verifying
it
that
way,
our
users
can
get
immediate
metrics
regarding
which
image
is
assigned
and
which
are
not.
A
After
using
Amazon's
elastic
kubernetes
service,
you
might
want
to
compare
against
the
Amazon
specific
CIS
Benchmark.
It's
designed
to
understand
the
fact
that
you
have
a
shared
responsibility
with
the
vendor
who,
in
this
case,
is
responsible
for
the
control
plane.
We
recently
added
support
for
scanning
against
the
CIS
eks
Benchmark.
A
Today,
we're
giving
you
a
Whistle
Stop
tour
through
what's
new
in
cubescape
and
a
few
things
that
are
coming
soon,
once
we've
released
our
vulnerability
relevance,
calculation
with
ebpf,
we
can
use
that
same
engine
to
do
so
much
more
things
like
generating
kubernetes
and
network
policies
based
on
application.
Behavior
keep
your
eyes
peeled
for
that.
A
Thanks
very
much
for
taking
this
journey
through
cubescape
with
me
today.
I'll
look
forward
to
answering
any
questions
you
may
have
in
slack
on
the
hash
cubescape
Channel.
If
you
want
to
get
involved
in
contributing
the
channel
is
Hash
cubescape
Dev
and
we
look
forward
to
seeing
you
in
the
community
soon
foreign.