Kubescape による Security Posture Management
サポートされるバージョン: Kubescape 3.0+, Kubernetes 1.31, 1.32, 1.33 最終更新: February 25, 2026
Kubescape は、包括的な Security Posture Management、脆弱性スキャン、コンプライアンスチェックを提供するオープンソースの Kubernetes セキュリティプラットフォームです。CNCF Sandbox プロジェクトとして、組織が Kubernetes 環境全体の設定ミス、脆弱性、コンプライアンス違反を特定するのに役立ちます。
目次
- 概要
- インストール
- Security Frameworks
- CLI スキャン
- Operator Mode (In-Cluster)
- Risk Scoring
- CI/CD Integration
- EKS-Specific Guide
- Control Exception Handling
- Best Practices
- まとめと参考資料
概要
Kubescape が解決すること
Kubescape は Kubernetes 環境における重要なセキュリティ課題に対応します。
- 設定ミスの検出: Workload、RBAC、network policy、cluster 設定におけるセキュリティ設定ミスを特定します
- コンプライアンス検証: 業界 framework (NSA-CISA、CIS、MITRE ATT&CK) に照らして cluster を検証します
- 脆弱性スキャン: container image と Kubernetes component の脆弱性を検出します
- RBAC 分析: role-based access control 設定を可視化して分析します
- Shift-Left Security: deployment 前に manifest と Helm chart をスキャンします
CNCF Sandbox プロジェクト
Kubescape は 2022 年に CNCF Sandbox に参加し、オープンソースの原則とコミュニティ主導の開発への取り組みを示しました。このプロジェクトは ARMO とオープンソースコミュニティによって積極的に保守されています。
類似ツールとの比較
| Feature | Kubescape | kube-bench | Polaris | Trivy |
|---|---|---|---|---|
| CIS Benchmark | Yes | Yes | No | Yes |
| NSA-CISA Framework | Yes | No | No | No |
| MITRE ATT&CK | Yes | No | No | No |
| Image Scanning | Yes | No | No | Yes |
| RBAC Analysis | Yes | No | No | No |
| Helm/YAML Scanning | Yes | No | Yes | Yes |
| In-Cluster Operator | Yes | Limited | Yes | Yes |
| Risk Scoring | Yes | No | Yes | Yes |
| Custom Frameworks | Yes | No | Yes | No |
| CI/CD Integration | Native | Manual | Native | Native |
| Runtime Detection | Yes (with Node Agent) | No | No | No |
| License | Apache 2.0 | Apache 2.0 | Apache 2.0 | Apache 2.0 |
Kubescape Architecture
インストール
CLI Installation
Linux and macOS
# Using curl (recommended)
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
# Using Homebrew (macOS/Linux)
brew install kubescape
# Using Krew (kubectl plugin manager)
kubectl krew install kubescape
# Verify installation
kubescape versionWindows
# Using PowerShell
iwr -useb https://raw.githubusercontent.com/kubescape/kubescape/master/install.ps1 | iex
# Using Chocolatey
choco install kubescape
# Using Scoop
scoop install kubescapeContainer Image
# Run Kubescape as a container
docker run -v ~/.kube:/root/.kube quay.io/kubescape/kubescape:latest scan framework nsa
# With specific kubeconfig
docker run -v /path/to/kubeconfig:/root/.kube/config \
quay.io/kubescape/kubescape:latest scan framework cisHelm Operator Installation (In-Cluster)
Kubescape Operator は、cluster 内で継続的なスキャンと監視機能を提供します。
# Add Kubescape Helm repository
helm repo add kubescape https://kubescape.github.io/helm-charts/
helm repo update
# Install Kubescape Operator with default settings
helm install kubescape kubescape/kubescape-operator \
-n kubescape \
--create-namespace
# Install with custom configuration
helm install kubescape kubescape/kubescape-operator \
-n kubescape \
--create-namespace \
--set clusterName=my-eks-cluster \
--set capabilities.continuousScan=enable \
--set capabilities.vulnerabilityScan=enable \
--set capabilities.nodeScan=enable \
--set capabilities.runtimeDetection=enableOperator Configuration Values
# values.yaml
clusterName: "production-eks-cluster"
capabilities:
continuousScan: enable
vulnerabilityScan: enable
nodeScan: enable
runtimeDetection: enable
networkPolicyService: enable
kubescape:
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
storage:
enabled: true
storageClassName: gp3
size: 10Gi
nodeAgent:
enabled: true
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
gateway:
enabled: true
service:
type: ClusterIPKubescape Cloud (SaaS)
Kubescape Cloud は、複数の cluster にわたるセキュリティ管理のための一元化された dashboard を提供します。
# Connect to Kubescape Cloud
kubescape scan framework nsa --account <ACCOUNT_ID> --submit
# Generate account ID
kubescape config set accountID <YOUR_ACCOUNT_ID>
# Verify cloud connectivity
kubescape config viewSecurity Frameworks
Kubescape は包括的なコンプライアンスチェックのために複数の security framework をサポートします。
NSA-CISA Kubernetes Hardening Guide
NSA-CISA framework は、米国 National Security Agency および Cybersecurity & Infrastructure Security Agency からのセキュリティ推奨事項を提供します。
# Scan against NSA-CISA framework
kubescape scan framework nsa
# Scan specific namespaces
kubescape scan framework nsa --include-namespaces production,staging主な control カテゴリ:
- Pod Security
- Network Separation
- Authentication and Authorization
- Audit Logging
- Upgrade and Patching
CIS Kubernetes Benchmark
Center for Internet Security (CIS) Benchmark は、規範的なセキュリティ設定ガイドラインを提供します。
# Scan against CIS Benchmark
kubescape scan framework cis
# CIS v1.8 for Kubernetes 1.27+
kubescape scan framework cis-v1.8
# EKS-specific CIS benchmark
kubescape scan framework cis-eksCIS Benchmark セクション:
- Control Plane Components
- etcd Configuration
- Control Plane Configuration
- Worker Node Security
- Policies
MITRE ATT&CK Framework
MITRE ATT&CK framework は、security control を既知の攻撃手法に対応付けます。
# Scan against MITRE ATT&CK
kubescape scan framework mitre
# View specific attack techniques
kubescape scan framework mitre --verbose対象となる攻撃カテゴリ:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Impact
Custom Frameworks
組織固有の要件に合わせて custom framework を作成します。
# custom-framework.yaml
name: "Organization Security Standards"
description: "Custom security framework for internal compliance"
controls:
- controlID: C-0001
- controlID: C-0002
- controlID: C-0009
- controlID: C-0034
- controlID: C-0038
- controlID: C-0041
- controlID: C-0044
- controlID: C-0055
- controlID: C-0057# Scan with custom framework
kubescape scan framework --custom-framework custom-framework.yaml
# List available controls
kubescape list controlsFramework Comparison
| Framework | Focus Area | Controls | Best For |
|---|---|---|---|
| NSA-CISA | Government hardening | 30+ | Federal/Government compliance |
| CIS | Configuration baseline | 100+ | General security baseline |
| MITRE ATT&CK | Threat mapping | 40+ | Threat modeling, red team |
| CIS-EKS | AWS EKS specific | 50+ | EKS deployments |
| SOC2 | Compliance | 20+ | SOC 2 audits |
| Custom | Organization-specific | Variable | Internal standards |
CLI スキャン
Scanning Pipeline Flow
Cluster Scanning
# Full cluster scan with NSA-CISA framework
kubescape scan framework nsa
# Scan with verbose output
kubescape scan framework nsa --verbose
# Scan specific namespaces
kubescape scan framework nsa \
--include-namespaces production,staging \
--exclude-namespaces kube-system,monitoring
# Scan with severity threshold
kubescape scan framework nsa --severity-threshold high
# Output to JSON
kubescape scan framework nsa --format json --output results.json
# Output to SARIF (for GitHub integration)
kubescape scan framework nsa --format sarif --output results.sarif
# Generate HTML report
kubescape scan framework nsa --format html --output report.htmlSpecific Control Scanning
# List all available controls
kubescape list controls
# Scan for a specific control
kubescape scan control C-0034
# Scan multiple controls
kubescape scan control C-0034,C-0038,C-0041
# Get control details
kubescape describe control C-0034一般的な security control:
| Control ID | Name | Description |
|---|---|---|
| C-0001 | Forbidden Container Registries | Detect images from untrusted registries |
| C-0002 | Exec into Container | Detect exec permissions |
| C-0009 | Resource Limits | Check for missing resource limits |
| C-0016 | Allow Privilege Escalation | Detect privilege escalation risk |
| C-0017 | Immutable Container Filesystem | Check for read-only root filesystem |
| C-0034 | Automatic Mapping of SA | Detect automatic service account mounting |
| C-0038 | Host PID/IPC Privileges | Detect host namespace sharing |
| C-0041 | HostNetwork Access | Detect host network usage |
| C-0044 | Container Hostport | Detect hostPort usage |
| C-0046 | Insecure Capabilities | Detect dangerous capabilities |
| C-0055 | Linux Hardening | Check seccomp/AppArmor profiles |
| C-0057 | Privileged Container | Detect privileged containers |
YAML and Helm Manifest Scanning (Shift-Left)
deployment 前に manifest をスキャンして、問題を早期に検出します。
# Scan YAML files
kubescape scan *.yaml
# Scan a directory
kubescape scan ./manifests/
# Scan Helm chart
kubescape scan ./my-chart/
# Scan Helm chart with values
kubescape scan ./my-chart/ --helm-set key=value
# Scan from URL
kubescape scan https://raw.githubusercontent.com/org/repo/main/deployment.yaml
# Scan with specific framework
kubescape scan framework nsa ./manifests/
# Fail on high severity findings
kubescape scan ./manifests/ --severity-threshold high --fail-threshold 0manifest スキャン出力の例:
Controls: 25 (Failed: 3, Excluded: 0, Skipped: 0)
Failed Resources: 5
Compliance Score: 88%
┌──────────────┬────────────────────────────────────────┬──────────────┬────────┐
│ SEVERITY │ CONTROL NAME │ FAILED │ STATUS │
├──────────────┼────────────────────────────────────────┼──────────────┼────────┤
│ High │ Privileged container │ 1 │ failed │
│ High │ Allow privilege escalation │ 2 │ failed │
│ Medium │ Resource limits │ 2 │ failed │
└──────────────┴────────────────────────────────────────┴──────────────┴────────┘Image Vulnerability Scanning
# Scan a specific image
kubescape scan image nginx:latest
# Scan all images in cluster
kubescape scan image --cluster
# Scan images in specific namespace
kubescape scan image --namespace production
# Filter by severity
kubescape scan image nginx:latest --severity critical,high
# Output vulnerabilities as JSON
kubescape scan image nginx:latest --format json --output vulns.json脆弱性出力の例:
Image: nginx:1.21.0
Vulnerabilities Found: 12 (Critical: 2, High: 4, Medium: 6)
┌─────────────────┬──────────────┬──────────┬─────────────────────────────────┐
│ CVE │ SEVERITY │ PACKAGE │ FIX VERSION │
├─────────────────┼──────────────┼──────────┼─────────────────────────────────┤
│ CVE-2023-44487 │ Critical │ openssl │ 1.1.1w │
│ CVE-2023-38545 │ Critical │ curl │ 8.4.0 │
│ CVE-2023-4911 │ High │ glibc │ 2.38-1 │
└─────────────────┴──────────────┴──────────┴─────────────────────────────────┘
Recommendation: Update to nginx:1.25.3 or laterRBAC Visualization and Analysis
# Scan RBAC configuration
kubescape scan rbac
# Analyze specific service account
kubescape scan rbac --service-account default:default
# Analyze specific user
kubescape scan rbac --user admin@example.com
# List subjects with cluster-admin equivalent
kubescape scan rbac --list-cluster-admins
# Export RBAC graph
kubescape scan rbac --format json --output rbac.jsonRBAC 分析機能:
- 権限過多の service account を特定します
- cluster-admin 相当の権限を検出します
- role binding とその scope を可視化します
- 未使用の role と binding を見つけます
- リスクの高い権限の組み合わせを強調表示します
Operator Mode (In-Cluster)
Continuous Scanning Architecture
Operator Components
# Verify operator installation
kubectl get pods -n kubescape
# Expected output:
# NAME READY STATUS RESTARTS AGE
# kubescape-operator-7d8f9c6b4d-x2h8k 1/1 Running 0 2h
# kubescape-storage-6b9d4f5c8a-m3n7p 1/1 Running 0 2h
# kubescape-gateway-5c7e8d9f6b-q4w2r 1/1 Running 0 2h
# node-agent-abcd1 1/1 Running 0 2h
# node-agent-efgh2 1/1 Running 0 2h
# Check CRDs
kubectl get crd | grep kubescapeScheduled Scanning Configuration
# scanning-schedule.yaml
apiVersion: kubescape.io/v1alpha1
kind: ScanSchedule
metadata:
name: daily-compliance-scan
namespace: kubescape
spec:
schedule: "0 2 * * *" # Daily at 2 AM
scanType: framework
framework: nsa
namespaces:
include:
- production
- staging
exclude:
- kube-system
severityThreshold: medium
notifications:
slack:
enabled: true
channel: "#security-alerts"
email:
enabled: true
recipients:
- security-team@example.com# Apply scanning schedule
kubectl apply -f scanning-schedule.yaml
# View scan results
kubectl get vulnerabilitymanifests -n kubescape
kubectl get configurationscans -n kubescapeVulnerability Scanning Integration
# vulnerability-scan-config.yaml
apiVersion: kubescape.io/v1alpha1
kind: VulnerabilityScanConfig
metadata:
name: image-scanning
namespace: kubescape
spec:
enabled: true
scanNewImages: true
scanInterval: "24h"
registries:
- url: "123456789012.dkr.ecr.us-west-2.amazonaws.com"
credentials:
secretRef: ecr-credentials
severityThreshold: high
ignoredCVEs:
- CVE-2023-12345 # Known false positiveRuntime Threat Detection (Node Agent with eBPF)
Node Agent は eBPF を使用して、低オーバーヘッドの runtime 監視を行います。
# node-agent configuration
nodeAgent:
enabled: true
config:
applicationProfile:
enabled: true
interval: "1m"
networkPolicy:
enabled: true
runtimeDetection:
enabled: true
rules:
- name: "Crypto Mining Detection"
enabled: true
- name: "Reverse Shell Detection"
enabled: true
- name: "Privilege Escalation"
enabled: true
- name: "Container Escape"
enabled: true
alertThreshold: warningRuntime detection 機能:
- Process 実行の異常
- file system アクセス監視
- network connection 追跡
- capability 使用の検出
- syscall 監視
Kubernetes API Attack Detection
# api-threat-detection.yaml
apiVersion: kubescape.io/v1alpha1
kind: ThreatDetectionConfig
metadata:
name: api-monitoring
namespace: kubescape
spec:
apiServer:
enabled: true
detectionRules:
- name: "Suspicious kubectl exec"
severity: high
pattern:
verb: create
resource: pods/exec
- name: "Secret Enumeration"
severity: medium
pattern:
verb: list
resource: secrets
- name: "RBAC Modification"
severity: high
pattern:
verb: ["create", "update", "patch", "delete"]
resource: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
- name: "Service Account Token Access"
severity: medium
pattern:
verb: create
resource: serviceaccounts/tokenRisk Scoring
Risk Score Calculation
Kubescape は複数の要素に基づいて risk score を計算します。
Risk Score = Σ (Control Severity × Resource Count × Exposure Factor)
─────────────────────────────────────────────────────────
Total Controls × Max Severity構成要素:
- Control Severity: Critical (10)、High (7)、Medium (4)、Low (1)
- Resource Count: 影響を受ける resource の数
- Exposure Factor: network exposure、privilege level、data sensitivity
Severity Levels
| Level | Score Range | Description | Action Required |
|---|---|---|---|
| Critical | 9-10 | Immediate exploitation risk | Immediate remediation |
| High | 7-8 | Significant security risk | Remediate within 24 hours |
| Medium | 4-6 | Moderate security concern | Remediate within 7 days |
| Low | 1-3 | Minor security improvement | Remediate within 30 days |
| Negligible | 0 | Informational | No action required |
Viewing Risk Scores
# Scan with detailed risk scoring
kubescape scan framework nsa --verbose
# Get risk score summary
kubescape scan framework nsa --format json | jq '.riskScore'
# Sort results by risk score
kubescape scan framework nsa --format pretty-printerrisk score 出力の例:
┌─────────────────────────────────────────────────────────────────────────────┐
│ Risk Assessment Summary │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Overall Risk Score: 34/100 │
│ Compliance Score: 76% │
│ │
│ ┌─────────────┬──────────┬───────────────────────────────────────────┐ │
│ │ Severity │ Controls │ Progress │ │
│ ├─────────────┼──────────┼───────────────────────────────────────────┤ │
│ │ Critical │ 0/2 │ ████████████████████ 100% │ │
│ │ High │ 3/8 │ ██████████████░░░░░░ 62% │ │
│ │ Medium │ 5/15 │ ████████████████░░░░ 67% │ │
│ │ Low │ 2/10 │ ████████████████████ 80% │ │
│ └─────────────┴──────────┴───────────────────────────────────────────┘ │
│ │
│ Top 5 Risks: │
│ 1. Privileged containers in production (Score: 9.2) │
│ 2. Missing network policies (Score: 7.8) │
│ 3. Containers with CAP_SYS_ADMIN (Score: 7.5) │
│ 4. Service accounts with cluster-admin (Score: 6.9) │
│ 5. Images from untrusted registries (Score: 6.2) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘Prioritization Strategy
# Focus on critical and high severity first
kubescape scan framework nsa --severity-threshold high
# Get prioritized remediation list
kubescape scan framework nsa --format json | \
jq '[.results[].controls[] | select(.status == "failed")] |
sort_by(.severity) | reverse'CI/CD Integration
CI/CD Integration Workflow
GitHub Actions Workflow
# .github/workflows/security-scan.yaml
name: Kubernetes Security Scan
on:
push:
branches: [main, develop]
paths:
- 'k8s/**'
- 'helm/**'
pull_request:
branches: [main]
paths:
- 'k8s/**'
- 'helm/**'
jobs:
kubescape-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Kubescape
run: |
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- name: Scan Kubernetes manifests
id: scan
run: |
kubescape scan framework nsa ./k8s/ \
--format sarif \
--output results.sarif \
--severity-threshold high \
--compliance-threshold 75
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
- name: Scan Helm charts
run: |
kubescape scan framework cis ./helm/my-app/ \
--format json \
--output helm-results.json
- name: Check compliance score
run: |
SCORE=$(cat helm-results.json | jq -r '.complianceScore')
echo "Compliance Score: $SCORE%"
if [ $(echo "$SCORE < 75" | bc) -eq 1 ]; then
echo "Compliance score below threshold!"
exit 1
fi
- name: Upload scan artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: kubescape-results
path: |
results.sarif
helm-results.json
image-scan:
runs-on: ubuntu-latest
needs: kubescape-scan
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Kubescape
run: |
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- name: Scan container images
run: |
# Extract image names from manifests
IMAGES=$(grep -r "image:" ./k8s/ | awk '{print $2}' | sort -u)
for IMAGE in $IMAGES; do
echo "Scanning: $IMAGE"
kubescape scan image "$IMAGE" \
--format json \
--output "image-scan-$(echo $IMAGE | tr '/:' '-').json" \
--severity critical,high || true
done
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(find . -name "image-scan-*.json" -exec cat {} \; | \
jq -s '[.[].vulnerabilities[] | select(.severity == "Critical")] | length')
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found: $CRITICAL"
exit 1
fiGitLab CI/CD Integration
# .gitlab-ci.yml
stages:
- security-scan
- deploy
variables:
KUBESCAPE_VERSION: "latest"
COMPLIANCE_THRESHOLD: 75
SEVERITY_THRESHOLD: "high"
kubescape-scan:
stage: security-scan
image: quay.io/kubescape/kubescape:${KUBESCAPE_VERSION}
script:
- kubescape scan framework nsa ./manifests/
--format json
--output gl-security-report.json
--severity-threshold ${SEVERITY_THRESHOLD}
- |
SCORE=$(cat gl-security-report.json | jq -r '.complianceScore')
echo "Compliance Score: $SCORE%"
if [ $(echo "$SCORE < ${COMPLIANCE_THRESHOLD}" | bc) -eq 1 ]; then
echo "Security scan failed: compliance below threshold"
exit 1
fi
artifacts:
reports:
sast: gl-security-report.json
paths:
- gl-security-report.json
when: always
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHJenkins Pipeline Integration
// Jenkinsfile
pipeline {
agent any
environment {
KUBESCAPE_ACCOUNT = credentials('kubescape-account-id')
}
stages {
stage('Install Kubescape') {
steps {
sh '''
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
'''
}
}
stage('Security Scan') {
steps {
sh '''
kubescape scan framework nsa ./k8s/ \
--format json \
--output kubescape-results.json \
--severity-threshold high \
--account ${KUBESCAPE_ACCOUNT} \
--submit
'''
}
post {
always {
archiveArtifacts artifacts: 'kubescape-results.json'
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'kubescape-results.html',
reportName: 'Kubescape Security Report'
])
}
}
}
stage('Gate Check') {
steps {
script {
def results = readJSON file: 'kubescape-results.json'
def score = results.complianceScore
if (score < 75) {
error "Security compliance score (${score}%) below threshold (75%)"
}
echo "Security scan passed with score: ${score}%"
}
}
}
}
}Threshold-Based Gates
# Set compliance threshold
kubescape scan framework nsa ./manifests/ \
--compliance-threshold 80 \
--fail-threshold 5
# Fail on any high/critical findings
kubescape scan framework nsa ./manifests/ \
--severity-threshold high \
--fail-threshold 0
# Custom exit codes
kubescape scan framework nsa ./manifests/ \
--format json \
--output results.json
# Check results and set exit code
CRITICAL=$(jq '[.results[].controls[] | select(.status == "failed" and .severity == "Critical")] | length' results.json)
HIGH=$(jq '[.results[].controls[] | select(.status == "failed" and .severity == "High")] | length' results.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical findings: $CRITICAL"
exit 2
elif [ "$HIGH" -gt 3 ]; then
echo "Too many high findings: $HIGH"
exit 1
fiEKS-Specific Guide
EKS-Specific Controls
# Scan with EKS-specific CIS benchmark
kubescape scan framework cis-eks
# Scan for EKS-specific controls
kubescape scan control \
C-0001,C-0034,C-0035,C-0036,C-0037 \
--verboseaws-auth ConfigMap Analysis
# Analyze aws-auth ConfigMap permissions
kubectl get configmap aws-auth -n kube-system -o yaml
# Kubescape RBAC scan includes aws-auth analysis
kubescape scan rbac --verbose | grep -A 20 "aws-auth"一般的な aws-auth の問題:
- 過度に許可された mapRoles エントリ
- root account の直接 mapping
- group 制限の欠如
安全な aws-auth 設定の例:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::123456789012:role/EKSNodeRole
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::123456789012:role/EKSAdminRole
username: eks-admin
groups:
- system:masters
- rolearn: arn:aws:iam::123456789012:role/EKSDeveloperRole
username: eks-developer
groups:
- eks-developers # Custom group with limited permissionsIRSA (IAM Roles for Service Accounts) Validation
# Check service accounts with IRSA annotations
kubectl get sa -A -o json | jq '.items[] |
select(.metadata.annotations["eks.amazonaws.com/role-arn"] != null) |
{namespace: .metadata.namespace, name: .metadata.name, role: .metadata.annotations["eks.amazonaws.com/role-arn"]}'
# Kubescape validates IRSA configuration
kubescape scan control C-0034 --verbose # Automatic SA token mountingIRSA セキュリティチェックリスト:
- 不要な場合は自動 service account token mounting を無効化します
- workload ごとに専用の service account を使用します
- least-privilege IAM policy を適用します
- IAM trust policy で OIDC provider condition を有効化します
# Secure IRSA service account configuration
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-app
namespace: production
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/MyAppRole
automountServiceAccountToken: false # Disable unless needed
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: production
spec:
template:
spec:
serviceAccountName: my-app
automountServiceAccountToken: true # Enable only where needed
containers:
- name: app
image: my-app:latestEKS Security Best Practices Scan
# Comprehensive EKS security scan
kubescape scan framework nsa,cis-eks \
--verbose \
--format json \
--output eks-security-report.json
# Check for EKS-specific misconfigurations
kubescape scan control \
C-0001 \ # Container registries
C-0002 \ # Exec permissions
C-0034 \ # SA token mounting
C-0035 \ # Cluster admin binding
C-0038 \ # Host namespaces
C-0041 \ # Host network
C-0044 \ # Host ports
C-0046 \ # Insecure capabilities
C-0055 \ # Linux hardening
C-0057 # Privileged containersControl Exception Handling
Exception Policies
既知の許容リスクや false positive のために exception を作成します。
# exceptions.yaml
apiVersion: kubescape.io/v1alpha1
kind: ControlException
metadata:
name: allow-privileged-monitoring
namespace: kubescape
spec:
controlID: C-0057 # Privileged Container
resources:
- namespace: monitoring
kind: DaemonSet
name: node-exporter
- namespace: monitoring
kind: DaemonSet
name: fluent-bit
reason: "Required for host metrics collection"
approvedBy: "security-team@example.com"
expiresAt: "2027-02-25T00:00:00Z"
---
apiVersion: kubescape.io/v1alpha1
kind: ControlException
metadata:
name: allow-hostnetwork-ingress
namespace: kubescape
spec:
controlID: C-0041 # HostNetwork access
resources:
- namespace: ingress-nginx
kind: DaemonSet
name: ingress-nginx-controller
reason: "Ingress controller requires host network for port 80/443"
approvedBy: "platform-team@example.com"
expiresAt: "2027-02-25T00:00:00Z"Applying Exceptions via CLI
# Apply exceptions file
kubescape scan framework nsa --exceptions exceptions.yaml
# Exclude specific namespaces
kubescape scan framework nsa \
--exclude-namespaces kube-system,monitoring,ingress-nginx
# Exclude by label
kubescape scan framework nsa \
--exclude-label "kubescape.io/ignore=true"
# Skip specific controls
kubescape scan framework nsa \
--skip-controls C-0057,C-0041Accepted Risks Documentation
# accepted-risks.yaml
apiVersion: kubescape.io/v1alpha1
kind: AcceptedRisk
metadata:
name: legacy-app-privileges
namespace: kubescape
spec:
description: "Legacy application requires elevated privileges pending migration"
affectedControls:
- controlID: C-0057
severity: high
justification: "Application binary requires CAP_NET_ADMIN for network management"
- controlID: C-0016
severity: high
justification: "Required for privilege escalation within container"
affectedResources:
- namespace: legacy
kind: Deployment
name: legacy-network-app
mitigations:
- "Network policies restrict communication to essential services only"
- "Pod security context limits other capabilities"
- "Runtime monitoring enabled via Falco"
riskOwner: "legacy-team@example.com"
approvedBy: "ciso@example.com"
approvalDate: "2026-02-01"
reviewDate: "2026-08-01"
status: "accepted"Inline Resource Exceptions
# Annotate resources to skip specific controls
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter
namespace: monitoring
annotations:
kubescape.io/ignore: "true" # Skip all controls
kubescape.io/ignore-controls: "C-0057,C-0038" # Skip specific controls
kubescape.io/exception-reason: "Required for host metrics collection"
spec:
template:
spec:
containers:
- name: node-exporter
image: prom/node-exporter:latest
securityContext:
privileged: true # Required for host accessBest Practices
Periodic Scanning Schedule
| Environment | Framework | Frequency | Threshold |
|---|---|---|---|
| Production | NSA-CISA + CIS | Daily | Critical: 0, High: 0 |
| Staging | NSA-CISA | Daily | Critical: 0, High: 5 |
| Development | Custom (core controls) | Weekly | Critical: 0 |
| Pre-production | Full (all frameworks) | Per deployment | Critical: 0, High: 0 |
| CI/CD | NSA-CISA | Per commit | Critical: 0 |
Scanning Configuration
# production-scan-config.yaml
apiVersion: kubescape.io/v1alpha1
kind: ScanConfiguration
metadata:
name: production-compliance
spec:
frameworks:
- nsa
- cis
schedule:
continuous:
enabled: true
interval: "1h"
full:
enabled: true
cron: "0 2 * * *"
namespaces:
include:
- production
- production-*
exclude:
- kube-system
thresholds:
compliance: 90
severities:
critical: 0
high: 0
medium: 10
notifications:
onFailure:
slack:
channel: "#security-alerts"
priority: immediate
pagerduty:
enabled: true
onSuccess:
slack:
channel: "#security-daily"
priority: lowCompliance Reporting
# Generate compliance report
kubescape scan framework nsa,cis \
--format html \
--output compliance-report-$(date +%Y%m%d).html
# Generate executive summary
kubescape scan framework nsa \
--format json \
--output results.json
# Extract key metrics
jq '{
date: now | strftime("%Y-%m-%d"),
overallScore: .complianceScore,
criticalFindings: [.results[].controls[] | select(.status == "failed" and .severity == "Critical")] | length,
highFindings: [.results[].controls[] | select(.status == "failed" and .severity == "High")] | length,
totalControls: .results[].controls | length,
passedControls: [.results[].controls[] | select(.status == "passed")] | length
}' results.json > executive-summary.jsonRemediation Workflow
┌─────────────────────────────────────────────────────────────────────────────┐
│ Remediation Workflow │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Scan & Identify │
│ └─▶ kubescape scan framework nsa --format json --output findings.json │
│ │
│ 2. Prioritize by Risk │
│ └─▶ Sort findings by severity and exposure │
│ └─▶ Critical → High → Medium → Low │
│ │
│ 3. Assign & Track │
│ └─▶ Create tickets for each finding │
│ └─▶ Assign to appropriate team │
│ └─▶ Set SLA based on severity │
│ │
│ 4. Remediate │
│ └─▶ Apply fixes to manifests │
│ └─▶ Validate in dev/staging │
│ └─▶ Deploy to production │
│ │
│ 5. Verify │
│ └─▶ Re-scan to confirm remediation │
│ └─▶ Update ticket status │
│ └─▶ Document exceptions if needed │
│ │
│ 6. Monitor │
│ └─▶ Set up alerts for regression │
│ └─▶ Track compliance trends │
│ │
└─────────────────────────────────────────────────────────────────────────────┘Integration with Other Security Tools
# Multi-tool security pipeline
apiVersion: batch/v1
kind: CronJob
metadata:
name: security-scan-pipeline
namespace: security
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
containers:
# Kubescape for configuration scanning
- name: kubescape
image: quay.io/kubescape/kubescape:latest
command:
- /bin/sh
- -c
- |
kubescape scan framework nsa,cis \
--format json \
--output /reports/kubescape-$(date +%Y%m%d).json \
--submit
volumeMounts:
- name: reports
mountPath: /reports
# Trivy for image scanning
- name: trivy
image: aquasec/trivy:latest
command:
- /bin/sh
- -c
- |
trivy k8s --report summary \
--output /reports/trivy-$(date +%Y%m%d).json \
--format json
volumeMounts:
- name: reports
mountPath: /reports
volumes:
- name: reports
persistentVolumeClaim:
claimName: security-reports
restartPolicy: OnFailurePrometheus Metrics Integration
# ServiceMonitor for Kubescape metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: kubescape
namespace: monitoring
spec:
selector:
matchLabels:
app: kubescape
endpoints:
- port: metrics
interval: 60s
path: /metrics監視すべき主な metrics:
| Metric | Description | Alert Threshold |
|---|---|---|
kubescape_compliance_score | Overall compliance percentage | < 80% |
kubescape_critical_findings | Number of critical findings | > 0 |
kubescape_high_findings | Number of high findings | > 5 |
kubescape_scan_duration_seconds | Scan execution time | > 600 |
kubescape_last_scan_timestamp | Last successful scan time | > 24h ago |
まとめと参考資料
Key Takeaways
Multi-Framework Support: Kubescape は、包括的なコンプライアンス範囲のために NSA-CISA、CIS、MITRE ATT&CK、custom framework をサポートします。
Shift-Left Security: deployment 前に CI/CD pipeline で manifest と Helm chart をスキャンし、問題を早期に検出します。
Continuous Monitoring: operator をデプロイして、scheduled scan による継続的な security posture monitoring を実施します。
Risk-Based Prioritization: risk scoring を使用して、最も影響の大きい finding に remediation 作業を優先します。
Exception Management: 適切な承認 workflow により、accepted risk を文書化して追跡します。
EKS Integration: AWS deployment では、EKS-specific control と IRSA validation を活用します。
Quick Reference Commands
# Basic cluster scan
kubescape scan framework nsa
# Scan with multiple frameworks
kubescape scan framework nsa,cis,mitre
# Scan manifests before deployment
kubescape scan ./manifests/
# Image vulnerability scan
kubescape scan image nginx:latest
# RBAC analysis
kubescape scan rbac
# CI/CD integration (fail on high severity)
kubescape scan framework nsa \
--severity-threshold high \
--compliance-threshold 80 \
--format sarif \
--output results.sarif
# Generate HTML report
kubescape scan framework nsa --format html --output report.htmlReferences
- Kubescape Official Documentation
- Kubescape GitHub Repository
- NSA-CISA Kubernetes Hardening Guide
- CIS Kubernetes Benchmark
- MITRE ATT&CK for Containers
- Kubescape Cloud Platform
- CNCF Sandbox Projects