Services DevOps DevSecOps Cloud Consulting Infrastructure Automation Managed Services AIOps MLOps DataOps Microservices 🔐 Private AINEW Solutions DevOps Transformation CI/CD Automation Platform Engineering Security Automation Zero Trust Security Compliance Automation Cloud Migration Kubernetes Migration Cloud Cost Optimisation AI-Powered Operations Data Platform Modernisation SRE & Observability Legacy Modernisation Managed IT Services 🔐 Private AI DeploymentNEW Products ✨ ZippyOPS AINEW 🛡️ ArmorPlane 🔒 DevSecOpsAsService 🖥️ LabAsService 🤝 Collab 🧪 SandboxAsService 🎬 DemoAsService Bootcamp 🔄 DevOps Bootcamp ☁️ Cloud Engineering 🔒 DevSecOps 🛡️ Cloud Security ⚙️ Infrastructure Automation 📡 SRE & Observability 🤖 AIOps & MLOps 🧠 AI Engineering 🎓 ZOLS — Free Learning Company About Us Projects Careers Get in Touch

Kubernetes Security with Kubescape for CI/CD

Kubernetes Security: Protect Your Clusters with Kubescape

Kubernetes security is essential for enterprises running cloud-native applications. Its adoption continues to grow rapidly, with a 67% increase among developers in 2021. However, the platform’s complexity makes it easy to leave clusters vulnerable to attacks. Implementing automated security checks in your CI/CD pipeline is the most effective way to defend your systems. Tools like Kubescape make this process straightforward and reliable.

At ZippyOPS, we provide consulting, implementation, and managed services across DevOps, DevSecOps, DataOps, Cloud, Automated Ops, AIOps, MLOps, Microservices, Infrastructure, and Security. Our expertise ensures that Kubernetes environments stay secure and efficient throughout the development lifecycle. Explore our services and solutions to learn more.

Kubernetes security scanning with Kubescape in a CI/CD pipeline

What Is Kubescape?

Kubescape is an open-source security scanning tool for Kubernetes clusters. Developed by ARMO, it inspects containers, scans clusters, and detects unsafe deployments before they reach production. Even experienced teams occasionally overlook vulnerabilities. For example, JW Player suffered a cryptocurrency miner attack in 2019 due to a container with elevated permissions—a risk Kubescape would have flagged immediately.

The tool implements over 70 security controls based on guidelines from the NSA, CISA, and Microsoft. These controls are organized into four frameworks:

  • NSA: Focuses on application security following NSA Kubernetes Hardening Guidelines.
  • MITRE: Protects the Kubernetes infrastructure based on Microsoft’s MITRE framework.
  • ArmoBest: Covers blind spots between MITRE and NSA frameworks.
  • DevOpsBest: A minimal set of controls for essential infrastructure and application security.

Kubescape runs all checks by default and provides a risk score for each framework, giving teams actionable insights to improve Kubernetes security.

Sanity Controls for Kubernetes Security

Securing Kubernetes involves two levels: cluster-level and application-level. Cluster hardening is critical, especially for self-managed and on-premises setups. Meanwhile, applications must follow deployment best practices to prevent vulnerabilities.

Kubescape analyzes deployment manifests to identify issues such as:

  • Running containers as root or with excessive capabilities
  • Unsecured SSH services inside containers
  • Pods consuming excessive CPU or memory
  • Containers with sudo commands in the start process
  • Pods without a parent ReplicaSet

Each control is rated from low to critical risk. By scanning manifests and clusters, teams receive a comprehensive risk score from 0% (secure) to 100% (highly vulnerable). See Kubescape frameworks in ARMO documentation.

Running Kubescape on Manifests

To scan a deployment manifest:

$ kubescape scan deployment.yml

You can also run scans for specific frameworks:

$ kubescape scan framework DevOpsBest deployment.yml

Or execute individual controls using their ID codes:

$ kubescape scan control C-0076,C-0004 deployment.yml

The output provides a clear table with risk scores for each control. This makes it easier for teams to prioritize fixes before production.

Cluster-Level Security Checks

About 47% of security issues stem from default Kubernetes configurations, leaving many self-managed clusters exposed. Kubescape helps detect:

  • Unsecured worker nodes
  • Exposed administrative dashboards
  • Known CVEs affecting cluster components
  • Missing network policies
  • Kubelet clients running without TLS authentication

For a full cluster scan, simply run:

$ kubescape scan

You can enable host-level scanning for more granular results:

$ kubescape scan framework DevOpsBest --enable-host-scan

This gives detailed insights into vulnerabilities across nodes, ensuring proactive security management.

Automating Kubernetes Security in CI/CD

Continuous security requires embedding checks in the CI/CD pipeline to prevent unsafe deployments. Using CI/CD platforms like Semaphore, you can integrate Kubescape as part of your build and deployment workflow.

Steps include:

  1. Add your project to Semaphore.
  2. Install Kubescape in the pipeline using:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
  1. Scan deployment manifests and generate test reports:
kubescape scan -t "$MAX_RISK" deployment.yml --format junit -o report.xml
  1. Configure CI/CD jobs to fail if risk exceeds thresholds, blocking unsafe deployments.

This ensures both deployment manifests and cluster configurations are continuously monitored.

Pre-Flight Cluster Checks

Securing deployments alone is insufficient. Clusters require regular pre-flight checks to maintain safety. Kubescape supports:

  • Background scanning on clusters with results viewable in the Armo Cloud portal
  • Pre-deployment scans in CI/CD pipelines

Upload the Kubeconfig file as a secret in your CI/CD system and add a scanning job before each deployment:

kubescape scan --exclude-namespaces kube-system,kube-public -t $MAX_RISK --format junit -o report.xml

This guarantees that only safe deployments reach your Kubernetes environment.

Why ZippyOPS for Kubernetes Security

ZippyOPS offers end-to-end support for Kubernetes security and operations. We provide:

  • Consulting, implementation, and managed services for DevOps, DevSecOps, Cloud, Automated Ops, AIOps, MLOps, Microservices, Infrastructure, and Security
  • Integrated solutions for infrastructure monitoring, application security, and automated operations
  • Products and solutions that streamline Kubernetes security and CI/CD automation

Our YouTube channel offers tutorials and demos showing practical implementations in real-world environments.

By partnering with ZippyOPS, organizations can secure Kubernetes clusters, prevent attacks, and optimize deployment workflows without disrupting operations.

Conclusion

Kubernetes security is a continuous practice that must be embedded into every stage of software development. Tools like Kubescape provide actionable insights to prevent vulnerabilities, both in cluster configurations and deployment manifests. By automating scans within CI/CD pipelines and leveraging expert guidance from ZippyOPS, enterprises can maintain robust security while scaling their cloud-native applications.

For expert Kubernetes consulting and managed services, contact sales@zippyops.com.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top