Getting started with Kubescape
Kubescape can run as a command line tool on a client, as an operator inside a cluster, as part of your CI/CD process, or more.
The best way to get started with Kubescape is to download it to the machine you use to manage your Kubernetes cluster.
Install Kubescape
(Kubescape is a security product; please read the file before you run it!)
You can also
Run your first scan
You will see output like this:
Usage
Some documentation on using Kubescape is yet to move here from the ARMO Platform docs.
Examples
-
Scan a running Kubernetes cluster:
-
Scan a running Kubernetes cluster with the NSA framework:
-
Scan a running Kubernetes cluster with the MITRE ATT&CKĀ® framework:
-
Scan for a specific control, using the control name or control ID. See the list of controls.
-
Use an alternative kubeconfig file:
-
Scan specific namespaces:
-
Exclude certain namespaces:
-
Scan local YAML/JSON files before deploying:
Take a look at the demonstration](https://youtu.be/Ox6DaR7_4ZI).
-
Scan Kubernetes manifest files from a Git repository:
-
Scan with exceptions
Objects with exceptions will be presented as
excludeand notfail. -
Scan Helm charts
Note
Kubescape will load the default VALUES file. -
Scan a Kustomize directory
Note
Kubescape will generate Kubernetes YAML objects using akustomizefile and scan them for security.
Output formats
-
JSON:
Note
Add the--format-version v2flag for maximum compatibility. -
junit XML:
-
PDF:
Contributed by @alegrey91
-
Prometheus metrics:
Contributed by @Joibel
-
HTML
-
Display all scanned resources (including the resources which passed):
Offline/air-gapped environment support
It is possible to run Kubescape offline! Check out our video tutorial.
Download all artifacts
- Download the controls and save them in the local directory. If no path is specified, they will be saved in
~/.kubescape.
-
Copy the downloaded artifacts to the offline system.
-
Scan using the downloaded artifacts:
Download a single artifact
You can also download a single artifact, and scan with the --use-from flag:
-
Download and save in a file. If no file name is specified, the artifact will be saved as
~/.kubescape/<framework name>.json. -
Copy the downloaded artifacts to the offline system.
-
Scan using the downloaded framework:
Other ways to use Kubescape
Scan periodically using Helm
We publish a Helm chart for our in-cluster components. Please follow the instructions here
VS Code Extension
Scan your YAML files while writing them using our VS Code extension.
Lens Extension
View Kubescape scan results directly in the Lens IDE using the Kubescape Lens extension.
Playground
Experiment with Kubescape in the Kubescape playground: this scenario will install a K3s cluster and Kubescape. You can start with any of the kubescape scan commands in the examples.
Tutorial videos
- Kubescape overview
- How to secure Kubernetes clusters with Kubescape
- Scan Kubernetes YAML files
- Scan container image registry
- Scan Kubescape on an air-gapped environment (offline support)
- Managing exceptions in ARMO Platform
- Configure and run customized frameworks
- Customize control configurations:
- Kubescape CLI
- ARMO Platform
Other installation methods
The curl install method will work on all platforms, but you may wish to use a native method to install Kubescape.
Install on Windows
You must have PowerShell v5.0 or higher installed.
If you get an error, you may need to change the execution policy:
Install on macOS
You can install Kubescape via Homebrew:
Install on NixOS or with nix
This method is community-supported. If you are having trouble, please reach out to NixOS support
You can use nix on Linux or macOS.
Try it out in an ephemeral shell: nix-shell -p kubescape
NixOS:
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
kubescape
];
home-manager:
Or, to your profile (not preferred): nix-env --install -A nixpkgs.kubescape