Security researchers and professionals codify best practices in controls: preventative, detective or corrective measures that can be taken to avoid, or contain, a security breach.

Kubescape comes with hundreds of controls, that can be used in either provided or custom frameworks. The controls are tests that look at a certain aspect of your security posture. Kubescape can examine:

  • Kubernetes object configuration – any YAML file, any Helm chart, or any resource that the API server exposes.
  • API server settings – configuration of the Kubernetes API server.
  • Worker nodes – the configuration of the Kubernetes worker nodes, including kubelet configuration and host settings.
  • Container images – the results from image scanning, to give you high-level visibility into items that need your attention.

Adjusting control parameters

While most of the controls look for specific parameters and their values which are predefined and determined by Kubernetes, some of the controls look for certain values which change from cluster to cluster or from one environment to the other.

Kubescape supports the ability to personalize controls by changing their parameters. This can be done from the ARMO Platform web interface or CLI.

Controls that can be customized are shown in the scan report with a gear icon:

It is important to adjust these controls to your specific use case, as the default settings will often lead to false positive results.

ARMO Platform web interface

Click your initials in the top right of the ARMO Platform web interface, and click "Settings". Under "Posture", click "Controls".

To show only controls that can be configured, check “Show configurable controls only.

Click the down arrow at the left of each control to open its configuration pane.

You can now add or remove parameters.

Kubescape CLI

You can customize control parameters using the Kubescape CLI. First, download a file which contains the default parameters that are used for the configurable controls:

kubescape download controls-inputs

The location of the file will be printed. Copy or edit that file and change the parameters as you need.

To perform a scan using the custom parameters, use the --controls-config flag and specify the location of the parameters file.

kubescape scan --controls-config <path>