August 18, 2021

Kubescape: The First Open-Source Tool for Running NSA and CISA Kubernetes Hardening Tests

Ben Hirschberg

VP R&D & Co-founder

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published comprehensive recommendations for strengthening the security of an organization’s Kubernetes system to help companies make their Kubernetes environment more difficult to compromise.

This 52-page cybersecurity technical report offers practical guidance for admins to manage Kubernetes securely, focusing on the common sources for a compromised Kubernetes environment.

Now, ARMO is pleased to announce the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA.

To learn more visit kubescape GitHub page

Kubescape is based on OPA engine: and ARMO's posture controls.

Kubescape retrieves the Kubernetes objects from the API server and scan them by running a set of regos snippets developed by ARMO.

It establishes how well your Kubernetes configurations meet the best practice recommendations from the NSA and CISA guidance. 

The output results are printed in a “console friendly" manner by default, but they can be also retrieved in JSON format for further processing.

Example test output from kubescape

Kubescape is running the following tests according to what is defined Kubernetes Hardening Guidance byto NSA and CISA. More tests will be added soon – stay tuned!

  • Non-root containers
  • Immutable container filesystem 
  • Building secure container images
  • Privileged containers 
  • hostPID, hostIPC privileges
  • hostNetwork access
  • allowedHostPaths field
  • Protecting pod service account tokens
  • Pods in kube-system and kube-public
  • Resource policies
  • Control plane hardening 
  • Encrypted secrets 
  • Anonymous Requests

Kubescape is an open-source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.

Go Back to Blog


What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Go Back to Blog