What are you using to secure your Kubernetes clusters? IMPORTANT: For reasons I do not comprehend (and Google support could not figure out), RUclips tends to delete comments that contain links. Please do not use them in your comments.
Datree presented in that video is mostly focused on cli that can be used to validate manifests while kubescape is more focused on security scanning. However, datree introduced some massive changes and is now going way beyond what I showed. I will publish a video about it in a few weeks.
Great to see a security video! By the way the paid version of Snyk is unable to scan kube-system either which is kind of frustrating but it's by design.
In some cases (some hosted k8s), you cannot access the kube-system. When you can, I think that it should be scanned. It's not as if security threads are designed to avoid that Namespace.
Yes. You can (and should) run it either as a Cronjob or through pipelines. Hopefully, that will change soon when Armo introduces admission controllers.
Thanks. It' could be great to compare similar "sanitizer" tools such as kube-hunter, kube-bench, falco, popeye, etc.. Like k6 I feel this project relies on cloud services to provide additional features. No complains other companies such confluent and Mongo atlas are doing the same thing....
I think that the majority of "new" companies are going for the same model. Create an OSS project and monetize through Cloud services. Typically, at some later stage, those companies start offering "enterprise" self-managed solutions as well. In any case... I'll make sure to explore other similar solutions in upcoming videos.
Out of topic but maybe something to talk about with an on-premise cluster : what about multiple vrf environment ? clearly an interesting network topic :)
Adding it to my TODO list... :) It'll be a bit challenging to do a demo with on-prem given that I do not have servers available for demos, but I'll think of something.
This is not an error, it is an indication that the control was skipped. This control (control plane hardening) requires that you run Kubescape with --enable-host-scan flag as it looks on the worker node (Kubelet settings).
@@amirkaushansky6880 So the message "error: scan risk-score 0.00 is above permitted threshold 0" is due to skipping the control plane hardening control? might want to tweak the error message.
Very good timing as usual :) I am going to check this out. Did you think about the OS as well? I've been running Flatcar for this purpose given that it gives me a little boost in security as the people behind it are better at this than I :p A little difficult to set up maybe, and weird now to have write access to certain standard paths like /usr, but auto (immutable) updates is nice.
Kubescape's scope stops at the k8s level and might be sufficient for those using hosted Kubernetes services. Those that self-host need something else in adition to Kubescape. I'll explore OS-level security in one of the upcoming videos.
So, there are tools that do the same work as your boss. Does that mean that your company can replace him with a free open-source project? If he's managing multiple teams, the company might need to get several OSS projects, but it's still doable and cost-effective :)
Very nice, thank you! If they will introduce an admission controller, would there be a significant difference to let's say Kyverno and the security related policies (apart from the image scanning?)
Hi, it is different in the following ways: Kubescape gives you controls not only on K8s objects but also on the worker node settings (Kublet for example) and API server (manged or on-prem). Kubescape will offer automatic remediation - today it has the ability (that you don't have in Kyverno) to show you where the policy violation happened in the YAML file. you can ping me directly to see a demo and discuss the roadmap.
Hi Victor, thank you for making this video. You mentioned kubescape team working on admission controller, this sounds like a great idea. But I have a strong feeling that this controller will do almost the same thing as PSP used to do. Can you please share your view on this? Thank you
That depends on what you have in metrics and especially in logs. Normally, those should be safe but it ultimately depends on whether you keep it that way.
@@DevOpsToolkit apiVersion: v1 clusters: null contexts: null current-context: "" kind: Config preferences: {} users: null even though im inside the repo, it showing me null.
Is the UI available for running on-prem? My company won't accept uploading vulnerability report to a third party. Also any tool running in the cluster should not "call-home". That's a hard requirement. Is it intended to replace Open Policy Agent? Or is it supposed to work along with it? BTW Would like to hear your thoughts on User Authentication for on-prem clusters. At present we are all using the admin keys for our testing. This approach won't work for prod. I am exploring LDAP + a VMware backed Opensource project called Pinniped. I want user and group management to happen in LDAP. Groups from LDAP will also be available in the cluster and RBAC would be applied on groups. Group memberships will be managed in LDAP.
I do not think there is a fully self-hosted version of Kubescape/Armor and I agree that it is sometimes unacceptable to send anything to third-party. As for OPA.... I do not think it replaces it. I believe it is a complementary tool. OPA will not let you know about new vulnerabilities. However, once you discover them with a tool like Kubescape, you might want to create an OPA rule to prevent it from reaching your cluster. So, I see both working in tandem. That might change later once we see what Armo does with admission controllers. As for RBAC, I prefer having only a selected few with any access to the cluster and to manage access for everyone else through Git with tools like Argo CD or Flux doing synchronization.
That's the line KubeScape was complaining about and that needs to be fixed. It's the line that should be fixed according to the description of the vulnerability or the bad practice indicated by KubeScape. Is that what you meant or I misunderstand your comment?
@@DevOpsToolkit You're right. But the problem is that it is showing me only the errors not the solutions. I didn't find those errors in my file. I searched them all but didn't find that error. Can I edit it in the kubescape or is there any other way?
You're right. I wanted to mention that and then forgot. That's my bad. It is indeed a bug and there is already an issue and, as far as I know, the team is already working on it.
I'm hitting an error with the kustomize code you included in the repo for this, and I'm wondering if you have any insight. kubectl apply --kustomize kustomize/overlays/dev error: rawResources failed to read Resources: Load from path ../../base failed: '../../base' must be a file (got d='/Users/touchthesun/Documents/workspace/kubescape-demo/kustomize/base')
That's strange. It's as if your OS does not see the files in that directory. Can you paste the output of `ls kustomize/base` while in the local copy of the repo?
![Megan Thee Stallion - Neva Play (feat. RM) [Official Video]](http://i.ytimg.com/vi/TpYTyAaTRts/mqdefault.jpg)
What are you using to secure your Kubernetes clusters?
IMPORTANT: For reasons I do not comprehend (and Google support could not figure out), RUclips tends to delete comments that contain links. Please do not use them in your comments.
Great Video as always, I am using datree, how you compare this with datree, I think kubescape is almost same as datree?
Datree presented in that video is mostly focused on cli that can be used to validate manifests while kubescape is more focused on security scanning. However, datree introduced some massive changes and is now going way beyond what I showed. I will publish a video about it in a few weeks.
@@DevOpsToolkit Thanks a lot 🙏 ❤️
Looking forward how Kubescape will progress, especially with the works on the admission controller.! Thanks Viktor for the insights!
Great tool. What a great discovery!
Exactly what we needed at the moment, thank you so much for the very detailed video!
Always love your video, this one came just in time for me , I just have put that on my dev pipeline. Thanks again.
Thanks man! Very good and helpful content. I am watching your videos all the time it's very clear and educated
🤣🤣🤣 07:00 for now the only thing I can say, is that I am depressed. 🤣🤣🤣
I know the feeling too
This channel is the best!!
Btw security related stuff is awesome, I'd highly appreciate a video about Falco for runtime security!
Adding it to my TODO list...
Great to see a security video! By the way the paid version of Snyk is unable to scan kube-system either which is kind of frustrating but it's by design.
In some cases (some hosted k8s), you cannot access the kube-system. When you can, I think that it should be scanned. It's not as if security threads are designed to avoid that Namespace.
after take a look this , i am thinking what if we have a cronjob + secret and execute the kubescape like daily job for each k8s cluster ?
Yes. You can (and should) run it either as a Cronjob or through pipelines. Hopefully, that will change soon when Armo introduces admission controllers.
Thanks. It' could be great to compare similar "sanitizer" tools such as kube-hunter, kube-bench, falco, popeye, etc.. Like k6 I feel this project relies on cloud services to provide additional features. No complains other companies such confluent and Mongo atlas are doing the same thing....
I think that the majority of "new" companies are going for the same model. Create an OSS project and monetize through Cloud services. Typically, at some later stage, those companies start offering "enterprise" self-managed solutions as well.
In any case... I'll make sure to explore other similar solutions in upcoming videos.
Love you brother
Out of topic but maybe something to talk about with an on-premise cluster : what about multiple vrf environment ? clearly an interesting network topic :)
Adding it to my TODO list... :)
It'll be a bit challenging to do a demo with on-prem given that I do not have servers available for demos, but I'll think of something.
Brilliant! But @ 28:18 when the scan runs with no failed resources it still gives you an error?? Wouldn't that give me a return code of 1?
This is not an error, it is an indication that the control was skipped. This control (control plane hardening) requires that you run Kubescape with --enable-host-scan flag as it looks on the worker node (Kubelet settings).
@@amirkaushansky6880 So the message "error: scan risk-score 0.00 is above permitted threshold 0" is due to skipping the control plane hardening control? might want to tweak the error message.
@@xxdivinexx90 You are right - missed this and thought you were referring to the "skipped" message. will be fixed ASAP. Thanks for letting us know.
@@xxdivinexx90 fixed
Very good timing as usual :) I am going to check this out. Did you think about the OS as well? I've been running Flatcar for this purpose given that it gives me a little boost in security as the people behind it are better at this than I :p A little difficult to set up maybe, and weird now to have write access to certain standard paths like /usr, but auto (immutable) updates is nice.
Kubescape's scope stops at the k8s level and might be sufficient for those using hosted Kubernetes services. Those that self-host need something else in adition to Kubescape.
I'll explore OS-level security in one of the upcoming videos.
See, i have a boss that tells me how bad i'm doing my job. Don't even need a tool !
So, there are tools that do the same work as your boss. Does that mean that your company can replace him with a free open-source project? If he's managing multiple teams, the company might need to get several OSS projects, but it's still doable and cost-effective :)
Are you using Falco for threat detection and other security related matters? If so, I wish you would make a video on it if possible.
It's on my to-do list but I cannot yet say when it's turn will come.
Just published a video about Falco (ruclips.net/video/0tBSKRvH3xo/видео.html).
Would be interesting to have a comparison with Starboard from Aqua
Adding it to my TODO list... :)
Thank you for another amazin video
Very nice, thank you! If they will introduce an admission controller, would there be a significant difference to let's say Kyverno and the security related policies (apart from the image scanning?)
I do not yet know how will Kubescape admission controllers work so I cannot (yet) answer that question :(
Hi, it is different in the following ways: Kubescape gives you controls not only on K8s objects but also on the worker node settings (Kublet for example) and API server (manged or on-prem). Kubescape will offer automatic remediation - today it has the ability (that you don't have in Kyverno) to show you where the policy violation happened in the YAML file. you can ping me directly to see a demo and discuss the roadmap.
@@amirkaushansky6880 Thanks for the info, that in fact sounds pretty nice!!
Takk!
Thanks a ton, Chris.
Hi Victor, thank you for making this video.
You mentioned kubescape team working on admission controller, this sounds like a great idea. But I have a strong feeling that this controller will do almost the same thing as PSP used to do. Can you please share your view on this?
Thank you
I do not yet know the details of how it will look and what it will do. I prefer to first see it in action before commenting on it.
do you have referrence of how to setup all this tools on eny clouds services?
There should be a link to the gist with all the instruction in the description of the video.
How safe it is to send the cluster info to the Armo portal?
That depends on what you have in metrics and especially in logs. Normally, those should be safe but it ultimately depends on whether you keep it that way.
@@DevOpsToolkit thanks. Do you recommend any self hosted service which is similar or have most of the functionalities?
OpenTelemetry for instrumentation, Loki for logs, Prometheus for metrics, grafana tempo for traces, grafana for dashboards.
4:50
but im getting
[info] kubescape scan starting
[fatal] failed connecting to kubernetes cluster.
can someone help me!
Can you confirm that the cluster is accessible (that it is not behind a firewall, vpn, or something similar)?
@@DevOpsToolkit apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
even though im inside the repo, it showing me null.
Is that kubeconfig? If it is, it's not going to work with nulls. You need to have a valid kubeconfig pointing to your cluster
Is the UI available for running on-prem? My company won't accept uploading vulnerability report to a third party. Also any tool running in the cluster should not "call-home". That's a hard requirement.
Is it intended to replace Open Policy Agent? Or is it supposed to work along with it?
BTW Would like to hear your thoughts on User Authentication for on-prem clusters. At present we are all using the admin keys for our testing. This approach won't work for prod. I am exploring LDAP + a VMware backed Opensource project called Pinniped. I want user and group management to happen in LDAP. Groups from LDAP will also be available in the cluster and RBAC would be applied on groups. Group memberships will be managed in LDAP.
I do not think there is a fully self-hosted version of Kubescape/Armor and I agree that it is sometimes unacceptable to send anything to third-party.
As for OPA.... I do not think it replaces it. I believe it is a complementary tool. OPA will not let you know about new vulnerabilities. However, once you discover them with a tool like Kubescape, you might want to create an OPA rule to prevent it from reaching your cluster. So, I see both working in tandem. That might change later once we see what Armo does with admission controllers.
As for RBAC, I prefer having only a selected few with any access to the cluster and to manage access for everyone else through Git with tools like Argo CD or Flux doing synchronization.
@@DevOpsToolkit Thanks for taking out time to respond
How to solve the issue and find it in my YAML file because I don't see anything happening on a particular line. Watch 19:43
That's the line KubeScape was complaining about and that needs to be fixed. It's the line that should be fixed according to the description of the vulnerability or the bad practice indicated by KubeScape.
Is that what you meant or I misunderstand your comment?
@@DevOpsToolkit You're right. But the problem is that it is showing me only the errors not the solutions. I didn't find those errors in my file. I searched them all but didn't find that error. Can I edit it in the kubescape or is there any other way?
@@user-kg2qn8se4h @A It should show it in KubeScape UI. Maybe something changed since the last time I used it. I'll double check it...
@@DevOpsToolkit Please let me know about it.
ruclips.net/video/ZATGiDIDBQk/видео.html - at 28:24 I was expecting it would be a code 0, should not be an error ???
You're right. I wanted to mention that and then forgot. That's my bad.
It is indeed a bug and there is already an issue and, as far as I know, the team is already working on it.
@@DevOpsToolkit thanks viktor 🙏
This is too esoteric
I'm hitting an error with the kustomize code you included in the repo for this, and I'm wondering if you have any insight.
kubectl apply --kustomize kustomize/overlays/dev
error: rawResources failed to read Resources: Load from path ../../base failed: '../../base' must be a file (got d='/Users/touchthesun/Documents/workspace/kubescape-demo/kustomize/base')
That's strange. It's as if your OS does not see the files in that directory. Can you paste the output of `ls kustomize/base` while in the local copy of the repo?