Kubernetes Security Scanning…and more?

Kubernetes security and visibility lie at the heart of most cloud security startup innovations. Because the field is so complex and growing by the day, it’s easy to lose track of who’s really doing what, and which products merely exist as checkboxes versus providing real value.

This week, we dive deep on ARMO, one of the original companies in the space who has invested deeply into open source tooling, with their cloud platform layered on top. In this deep dive, we take a look at Armo’s history, platform, ideal use cases, pros, and cons.

History

ARMO was founded in Israel in 2019. Their first public seed round was $3.5 million in 2021, led by Pitango VC, followed by a $30 million series A in 2022 led by Tiger Global Management. They have 40 employees, and have a deep commitment to open source kubernetes security. The first commit to their public repository, Kubescape, was in 2021 and Kubescape has accrued nearly 9,000 stars on GitHub.

I was first exposed to Kubescape in the early days of exploring Kubernetes security. Their quick and lightweight scanner was an easy way for security engineers, who usually don’t have much Kubernetes experience, to begin wrapping their heads around what sort of cluster misconfigurations can exist and begin conversations with their DevOps teams about how to fix them.

Due to their open source nature and lightweight scanning options, ARMO has always done a great job at living at the intersection of security and DevOps. In my experience as a security engineer, the hardest part of Cloud Security is getting this conversation started, and ARMO has always provided a great gateway to that conversation.

Platform

The ARMO Platform has evolved into three distinct sections: compliance/vulnerability scanning the cluster itself, surfacing vulnerabilities in the images running inside the cluster, and visualizing kubernetes roles & service accounts.

Compliance Scanning

The heart of ARMO’s platform is their compliance scanning, which has the best rules I’ve seen for scanning for cluster misconfigurations. They do an excellent job of balancing being quick to deploy with providing deeper analysis than most tools by really breaking apart all of the resources that exist inside the cluster.

As far as rules go, they attempt to map k8s controls across compliance frameworks like CIS benchmarks, MITRE, and NSA controls alongside their own best practices to provide meaningful insights to DevOps and Security practitioners alike. This creates reasons for DevOps teams to investigate the platform themselves, rather than being solely a security tool. An example of this crossover is alerting on lack of memory and CPU limits, alongside over provisioned Kubernetes service accounts.

This data exists within the open source tool, but the extra insight granted by the platform comes in the form of fix analysis, highlighting changes in the yaml that must take place.

While their categorization of alerts is good, they suffer from typical issues in this space when it comes to medium and low alerts. For example, you definitely should implement kubernetes network policies for security, but resolving this one medium alert could easily take an entire quarter to implement properly for larger organizations. Their docs provide a ton of value in giving explanations for their rules, but lack larger scale guidance for security teams trying to figure out how to gauge the necessity of dropping a giant project in DevOps laps. In other words, don’t expect the platform to fix things for you without doing some project work yourself, although the platform helps by providing fixes inline to the yamls.

Image Vulnerability Scanning

ARMO’s evolution into Image scanning is newer, and its current state would serve a better “check the box” functionality than anything actionable; however, they currently provide and are continuing to develop a few areas that help the feature stand out from other providers.

Let’s start with what they do well: categorizing CVEs based on the context of the running cluster. Negligible, fixable, and RCE (remote code execution) are all critical contexts for navigating the CVE ocean that tools like this tend to uncover. The ARMO platform does a good job surfacing the vulnerabilities that are truly fixable and the most likely to get you into trouble. Like some other tools in this space, they show you the libraries that are actually running in order to help you prioritize as well.

With those positives listed, there are many areas of growth for this feature, which many larger vendors like Prisma Cloud or Sysdig are not themselves immune to:

1. There is no base image detection to tell you if the vulnerabilities are coming from your base image or something your adding to your Dockerfile - and this functionality wouldn’t exist in pipeline to tell you exactly where a vuln is coming from.

2. There is nothing showing the layers of the Docker image to see where your vulnerability is getting introduced

3. There is no guidance on how to actually go about remediating, such as installing custom packages versus just running an apt upgrade

4. Alerts exist for tools that you really can do nothing about, such as the AWS kube-system images

5. The workflow management is very basic, offering an easy ignore and exports to Jira

All in all, this is a great expansion into this category from ARMO, but can’t compete on its own against better dedicated providers; however, the state of this category from the larger CNAPP providers is also lacking. This is why Remediation Platforms have been created. In short, not the best for large scale remediation across all your images, but great at providing a hit list of the vulns that are the most likely to get you in troble.

RBAC Visualizer

More providers in this space are realizing the complexity of Kubernetes authorization and identity management. Between OIDC plugins, AWS plugins, SA accounts and permissions, and more, there are usually a ton of identities in kubernetes spaces that go overlooked.

Providing visualization and a query mechanism are great first steps in this area, but require the user to know what they’re looking for. For example, querying for SA accounts with create role permissions returned blank, but SA with * returned the role I was looking for.

The true frontier of this technology is mapping alerts and priorities based on these queries and the context in which they’re running. An SA account with admin permissions attached to a pod for example is a large security issue, whereas the kubelet being able to access nodes is irrelevant. These are all features their team showed me are being worked on, and I’m excited about the future of the platform here.

Ideal Use Cases

1. A security team getting started with Kubernetes security.

This use case follows the ideal flow for Armo - a security team can easily clone and run kubescape, and begin conversations with their DevOps team around findings. Assuming positive results, they can then investigate the paid platform and using this to fill the kubernetes visibility gap.

2. A DevOps team looking to shore up their security posture

Many startups are plagued by sudden compliance and security concerns, and the Armo platform provides a great on ramp for them dipping their feet into security. DevOps teams I’ve worked with care about security, but don’t know how to prioritize or get started, and ARMO is great for diving in.

3. A larger org with legacy tooling looking to shore up kubernetes security

Big players like CrowdStrike, Splunk, and IBM have provided tools to security teams that have been slow to surface evolving kubernetes guidelines for teams. For companies that are already heavily invested into these larger runtime providers, a provider like Armo can fill a more specific gap than something like Wiz or Sysdig which are covering much larger areas.

Pros:

1. Fast to deploy

2. Open source foundation

3. Narrow use case executed very well

4. DevOps and Security friendly

5. Actionable compliance scanning

6. Pricing is fair compared to more holistic providers

Cons:

1. Image scanning is not as actionable as it needs to be

2. Can generate noise at medium and below alerts

3. Functionality is mimicked elsewhere in similar providers

The Future of Armo

Like other providers in this space, the future of Armo is heavily reliant on how their kubernetes protection differentiates from consolidation providers. With eBPF exploding, there is also a question of if configuration scanning alone is enough without additional runtime protection against an actual exploit.

Because of their investment into open source technology, the future is bright for ARMO as more orgs adopt kubernetes and look to get a handle on their security - there simply is not a better tool than kubescape to get started securing your cluster. It remains to be seen if configuration scanning alone will provide enough value to organizations to not be consolidated into larger platforms. As their image scanning and RBAC visualization improve, they can remain a leader in the kubernetes configuration/vulnerability category, but would need large platform investments to get more into the runtime space.

At the end of the day, kubescape is the best open source configuration scanner out there - so there will always be a market for their growing future. There’s no other platform I’d use to get started securing my clusters.

See the video below for more thoughts and testing of different scanners: