As we progress through this series, we have delved into various aspects of KubeClarity, including SBOM (Software Bill of Materials) Integration and Vulnerability Scanning. Now, it’s time to take a closer look at runtime scanning. This post will explore the extensive capabilities of the KubeClarity run-time scanning feature.
Run-time scanning plays a crucial role in ensuring the security and integrity of your applications within a Kubernetes environment. It allows you to monitor and detect vulnerabilities in real time as your applications run. In addition, with KubeClarity run-time scanning, you gain valuable insights into the security posture of your Kubernetes applications post-deployment.
Scanning your run-time Kubernetes clusters is essential to proactively detect and address vulnerabilities in real-time, ensuring the security and integrity of your applications and infrastructure. By continuously monitoring and scanning your clusters, you can mitigate risks, prevent potential attacks, and maintain a strong security posture in the dynamic Kubernetes environment. Some of the key advantages of employing a run-time scan strategy in addition to a build-time or static analysis are:
KubeClarity offers many impressive features that greatly enhance the runtime scanning experience. Here are some key highlights:
With KubeClarity, you can enjoy significantly faster runtime scans. The scanning process is optimized, reducing the time required to detect vulnerabilities from minutes to seconds. This allows for quicker identification and remediation of potential security risks.
KubeClarity employs a mechanism that eliminates the need for pulling the entire image tar. Instead, it utilizes a more efficient approach that avoids the unnecessary overhead of fetching the complete image tar.
KubeClarity uses the cached SBOM data if an image has already been scanned, eliminating the need for time-consuming image retrieval and recomputing, improving overall efficiency.
Scanning images within admission control becomes a breeze with KubeClarity. The scanning process, which previously may have taken minutes, is now significantly accelerated, with results available within seconds. This allows for real-time vulnerability assessment without causing delays or disruptions in your CI/CD pipeline. Note the run-time scanning of the Kubernetes namespaces option is available through UI and API options.
For example, when you download an image as a tarball in your KubeClarity Kubernetes cluster, the tarball contains several files and directories that make up the image. These typically include:
When you download an image tarball, it typically fetches all the files and directories necessary to recreate the image on your Kubernetes cluster. However, it’s worth noting that the actual extraction and utilization of specific files from the tarball may depend on the runtime and execution context within the cluster, which is where KubeClarity plays to its strengths.
Figure-2 illustrates the structure of a runtime scanning architecture. This layout visually represents the components and their interconnections within the runtime scanning system. By examining the figure, you can better understand how the various elements work together to facilitate the scanning process during runtime.
It is worth noting that the starting and stopping runtime scan option is available through UI and API but not supported by CLI.
Enabling Runtime Scan in KubeClarity is a straightforward process. Follow these steps:
By enabling runtime scans in KubeClarity, you enhance the security of your Kubernetes environment and gain valuable insights into potential vulnerabilities during the operation of your applications.
Once KubeClarity is installed, you need to configure the runtime scanning capabilities. This involves defining the scanning parameters, specifying the target workloads, and enabling the appropriate scanning modules.
Kubeclarity uses k8schain of Google/go-container registry for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain. For more details, check out the README.
Select the runtime scan options view from the navigation pane as shown in Figure-4 below:
To schedule a scan at your preferred time, click the “Schedule Scan” option in the upper right corner, as shown in Figure-5 below. This feature allows you to set a specific time for the scan, providing flexibility and control over when the scanning process initiates.
Upon selecting the “Schedule Scan” option, you will land on the screen shown in Figure-6. This screen offers various options for choosing a namespace for the scan. Follow this screen’s instructions and available choices to select the specific namespace you wish to scan. For example, I’m selecting the “kube-system” namespace as a target for scanning.
Next, choose timing options for the scan, as shown in Figure-7 below.
Click the “Save” button to save the settings shown in Figure-8 below.
Upon saving the scan schedule, the control returns to the main runtime scan page showing a previously completed scan or an in-progress scan if one is in progress. Currently, there is no option to browse a list of all scheduled scans. It only shows the most recent selection of a scheduled scan. There is room for improvement here to allow checking the full schedule of all pending scheduled scans.
Figure-9 presents the runtime scan view, displaying comprehensive details regarding the progress of the ongoing scan. This view offers real-time updates and insights into the scanning process, allowing you to monitor the scan’s progress and track any vulnerabilities or issues detected.
Once the scan results are available, you can easily navigate the findings and address the relevant issues. If you need a refresher on navigating and resolving these vulnerabilities, refer to the detailed instructions in the previous post. Hopefully, this process has helped you uncover any overlooked vulnerabilities within your cluster.
KubeClarity’s runtime optimization for image scanning in Kubernetes environments provides a more focused and streamlined approach to vulnerability management. By scanning only, the images downloaded into your cluster, you can reduce the bloat and improve the efficiency of your scanning process, saving valuable time and resources. You can enhance the security of your Kubernetes deployments with KubeClarity and stay one step ahead of potential threats.
Lastly, we have the topic of CIS Benchmarks left to explore. In the next section, we will delve into the world of CIS Benchmarks and discover their significance in enhancing the security and compliance of your systems. Next, let’s dive in and uncover the power of CIS Benchmarks in KubeClarity!
Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.