Member-only story
Image Vulnerability Scanning for Optimal Kubernetes Security
Build your container’s defense easier
A big part of security involves cluster management, within which container security is vital in building the cloud's defensive line.
Containers should be built keeping in mind best design practices, such as being independent of multiple packages and deleting extra libraries and functions to keep the codebase minimal. We are not so acquainted with security knowledge for developers like me since we generally rely on protection from the company’s security team or the public cloud.
However, RedHat’s Kubernetes security report from 2022 has raised some troubling issues: 53% of security incidents were due to misconfiguration, and 57% of developers had concerns over workload security in the past 12 months.
It’s time to get equipped with some tools to make up for the developer’s limitations. For this, I started with “arming” the workload container and scanning for image vulnerabilities. The image’s immutability enables us to easily deploy, test, and publish the image to other environments, which is a big advantage, but also brings potential risks: The image and its dependencies become outdated and fail the automatic update or the patching of the new security breach.
When seeking container-vulnerability-scanning tools in the CNCF community, I found Kubescape, an open source tool launched by the security company Armo.
Kubescape detects the cluster vulnerabilities by scanning resources in the cluster to find configuration errors or vulnerabilities in advance. It supports customized templates in addition to the default NSA and MITRE. And it can be integrated into CI/CD tools like Jenkins, CircleCI. As to the detection results, Kubescape works well with SAAS, CLI, and offline CLI, supporting all scenarios.
Kubescape has integrated the security proposals from the 66-page Kubernetes…
