Kubescape comes with support for the following frameworks:
nsa framework is built on the Kubernetes Hardening Guide released by the published by the United States National Security Agency and Cybersecurity and Infrastructure Security Agency. Controls in this framework will validate adherence to these best practices.
mitre framework is based on the MITRE ATT&CK® framework, a knowledge base of known tactics, techniques and procedures (TTP) that are involved in cyberattacks. The Threat Matrix for Kubernetes was inspired from MITRE ATT&CK, and contains mitigations specific to Kubernetes environments and attack techniques. Controls in this framework map to the various TTP in the threat matrix.
The CIS family of frameworks are derived from the CIS Kubernetes Benchmarks, a set of secure configuration guidelines developed for Kubernetes.
The frameworks are:
cis, for default Kubernetes clusters
cis-aks, for Azure Kubernetes Service
cis-eks, for Amazon Elastic Kubernetes Service
Scanning using a framework
To scan a cluster using a particular framework, use the command
kubescape scan framework <framework>. You can specify more than one framework by providing a comma-separated list, such as
kubescape scan framework nsa,mitre.
Before Kubescape 3.0, the default behaviour of
kubescape scan was to scan the NSA and MITRE frameworks.
Using frameworks for compliance
Kubescape uses two metrics to help you use frameworks for validating the compliance of an environment.
The control compliance score measures the compliance of individual controls within a framework. It is calculated by evaluating the ratio of resources that passed to the total number of resources evaluated against that control.
The framework compliance score provides an overall assessment of your cluster's compliance with a specific framework. It is calculated by averaging the Control Compliance Scores of all controls within the framework.
In scan results, you may see the control compliance score listed as Action Required. Some controls require configuration before they can be evaluated; for example, the list of allowed container registries. See Customizing control configuration.
To learn how to download the framework data, see the documentation for installing in an air-gapped environment.
To learn how to create and use your own custom framework, see the Contributing section of the regolibrary README.md.
You can use a locally defined framework