Vulnerabilities Relevancy

The relevancy functionality will enable ARMO Platform users to understand which of the vulnerabilities are actually relevant for their workload in runtime

Overview

ARMO Platform's relevancy feature is based on Kubescape's capability (aka Taster), which, in turn, is based on eBPF. It scans the running environment and maps out artifacts and libraries that are loaded into memory and therefore are in use in the environment.

The Taster is part of Kubescape's in-cluster components. It uses eBPF probes to look at the file activity of a running container. When a pod starts on a node, the Taster will watch its containers for a configurable learning period and store an activity log.

During the process of scanning a container, an SBOM is generated. This contains the vulnerability scannerโ€™s understanding of which components are installed in the container. When vulnerabilities are checked the engine is provided with a filtered SBOM, including the packages that relate to files that were accessed during the learning period.

Enabling the Relevancy feature

In order to enable the relevancy functionality follow the instructions below:

  1. Installation of Kubescape in cluster(Learn why)
  • In order to configure the configurable learning periods of the feature use the flags deatiled in the table below.
FlagDefaultDescriptionConfigurable
learningPeriod2 minutesThe learning period is the amount of time the Taster will observe a running container to determine the relevancy of files. The value represents minutes--set nodeAgent.config.learningPeriod=15
maxLearningPeriod180 minutesThe max learning period is the amount of time the Taster will observe a running container. The value represents minutes--set nodeAgent.config.maxLearningPeriod=200

Using the Relevancy feature

After installation, the Taster will start listening for every new / restarted container for the time configured in the learning period. Once the learning period is concluded the relevant information will be available in the cluster storage and in ARMO Platform. Taster will keep listening for the container until the maxLearningPeriod is reached.

View Relevancy information in the ARMO Platform UI

Prerequisites

  • pods were restarted to initiate the learningPeriod
  • The learning period has concluded

Vulnerabilities main view

Navigate to the Vulnerabilities section

The top tiles provide information regarding the relevant vulnerabilities found in the scanned containers. The information is broken down using prioritization indicators (Fixable, RCE and Relevant).

Severity tiles

Severity tiles

The table detailing the vulnerabilities (see snippet below) provides a list of workloads scanned for vulnerabilities. The table contains a "Relevant" column stating the number of vulnerabilities found relevant for the workload in question.

Workloads view

Workloads view

_Possible values that will populate the _Relevant _column are:

  • Number - The number represents the number of relevant vulnerabilities found for the given workload.
  • N/A may be a result of one of several factors:
Learning periodRelevancy statusDescriptionResolution
IncompleteInstalledRelevancy is installed on the cluster and learning is still in progressWait for the conclusion of the learning period
DoneInstalledRelevancy is installed on the cluster but the container under the workload was not restarted since the Relevancy feature was enabledRestart the container under the given workload
-Not installedThe Relevancy feature is not enabled on the cluster the workload is deployed inEnable Relevancy on the cluster and restart it

Workload vulnerabilities view

Upon drill down into a workload with relevant data, the vulnerabilities table contains a column named "Relevant" stating the relevancy of the vulnerability in question.

Possible values here are:

  • Yes - The given vulnerability was loaded to memory during the learning period. Hence, it is relevant.
  • No - The given vulnerability was NOT loaded to memory during the learning period. Hence, is NOT relevant.
  • N/A - No data is available for the given vulnerability. View the resolution table in the previous section.
Vulnerabilities view

Vulnerabilities view

View relevant information from the cluster storage

View SBOM information

kubectl get -n kubescape --show-labels SBOMSPDXv2p3
NAME                                                        CREATED AT             LABELS
docker.io-grafana-grafana-9.5.3-b8d861                      2023-06-15T15:45:33Z   kubescape.io/image-id=docker-io-grafana-grafana-sha256-35e8e1b76912e4c3bbaa8de01e730a,kubescape.io/image-name=docker-io-grafana-grafana
gcr.io-vmwarecloudadvocacy-acmeshop-catalog-latest-3fc804   2023-06-15T15:45:54Z   kubescape.io/image-id=gcr-io-vmwarecloudadvocacy-acmeshop-catalog-sha256-8fd8df19f379,kubescape.io/image-name=gcr-io-vmwarecloudadvocacy-acmeshop-catalog
mongo-4-f244e3                                              2023-06-15T15:44:55Z   kubescape.io/image-id=docker-io-library-mongo-sha256-967fecde146a0d1ac5ec5805a2c75906,kubescape.io/image-name=docker-io-library-mongo
otel-opentelemetry-collector-0.70.0-55f80d                  2023-06-15T15:45:08Z   kubescape.io/image-id=docker-io-otel-opentelemetry-collector-sha256-54f9e300089317cd4,kubescape.io/image-name=docker-io-otel-opentelemetry-collector
quay.io-kiwigrid-k8s-sidecar-1.24.3-be1fe8                  2023-06-15T15:45:17Z   kubescape.io/image-id=quay-io-kiwigrid-k8s-sidecar-sha256-5af76eebbba79edf4f7471bf1c3,kubescape.io/image-name=quay-io-kiwigrid-k8s-sidecar

View filtered SBOM information

kubectl get -n kubescape --show-labels SBOMSPDXv2p3Filtered
NAME                                                                       CREATED AT             LABELS
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-424f-cdc1   2023-06-15T15:47:20Z   kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana-sc-dashboard,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-6929-6389   2023-06-15T15:49:20Z   kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus
prometheus-replicaset-kube-prometheus-stack-grafana-658d55bf84-d1f2-ec75   2023-06-15T15:47:21Z   kubescape.io/workload-api-group=apps,kubescape.io/workload-api-version=v1,kubescape.io/workload-container-name=grafana-sc-datasources,kubescape.io/workload-kind=Deployment,kubescape.io/workload-name=kube-prometheus-stack-grafana,kubescape.io/workload-namespace=prometheus

Get CVE list & relevant CVE list

kubectl get -n kubescape --show-labels VulnerabilityManifests
NAME                                                            CREATED AT             LABELS
docker.io-grafana-grafana-9.5.3-b8d861                          2023-06-15T15:45:36Z   kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-grafana-grafana-sha256-35e8e1b76912e4c3bbaa8de01e730a,kubescape.io/image-name=docker-io-grafana-grafana
gcr.io-vmwarecloudadvocacy-acmeshop-catalog-latest-3fc804       2023-06-15T15:45:59Z   kubescape.io/context=non-filtered,kubescape.io/image-id=gcr-io-vmwarecloudadvocacy-acmeshop-catalog-sha256-8fd8df19f379,kubescape.io/image-name=gcr-io-vmwarecloudadvocacy-acmeshop-catalog
gke.gcr.io-cluster-proportional-autoscaler-1.8.4-gke.1-a146bc   2023-06-15T15:46:48Z   kubescape.io/context=non-filtered,kubescape.io/image-id=gke-gcr-io-cluster-proportional-autoscaler-sha256-0f232ba18b633,kubescape.io/image-name=gke-gcr-io-cluster-proportional-autoscaler
mongo-4-f244e3                                                  2023-06-15T15:45:01Z   kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-library-mongo-sha256-967fecde146a0d1ac5ec5805a2c75906,kubescape.io/image-name=docker-io-library-mongo
nginx-1.14.2-306b8d                                             2023-06-15T15:46:45Z   kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-library-nginx-sha256-f7988fb6c02e0ce69257d9bd9cf37ae2,kubescape.io/image-name=docker-io-library-nginx
otel-opentelemetry-collector-0.70.0-55f80d                      2023-06-15T15:45:09Z   kubescape.io/context=non-filtered,kubescape.io/image-id=docker-io-otel-opentelemetry-collector-sha256-54f9e300089317cd4,kubescape.io/image-name=docker-io-otel-opentelemetry-collector
quay.io-argoproj-argocd-v2.6.7-a2bd09                           2023-06-15T15:46:32Z   kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-argoproj-argocd-sha256-a9a0c6b9360587d9786c0d84b0bf948d,kubescape.io/image-name=quay-io-argoproj-argocd
quay.io-kiwigrid-k8s-sidecar-1.24.3-be1fe8                      2023-06-15T15:45:20Z   kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-kiwigrid-k8s-sidecar-sha256-5af76eebbba79edf4f7471bf1c3,kubescape.io/image-name=quay-io-kiwigrid-k8s-sidecar
quay.io-kubescape-kollector-v0.1.21-bc8e8d                      2023-06-15T15:46:51Z   kubescape.io/context=non-filtered,kubescape.io/image-id=quay-io-kubescape-kollector-sha256-cef4b4ef628470df7a9cf1bcd2a9,kubescape.io/image-name=quay-io-kubescape-kollector

Limitations

Linux kernel

The relevancy functionality is based on eBPF technology which is implemented only on Linux kernels. Therefore the feature will work only on Linux distributions. The Linux kernel version in the node must be >= 4.14.

Relevancy engine

The relevancy functionality is based on the Falco library. Falco downloads the kernel object per the kernel version in the node. Not all kernel versions exist in the kernel.

Symlinks

The Falco library does not report on the actual file when Symlink is opened, meaning relevant files opened by symlink may cause CVEs to appear as not relevant and result in a false positive.

Disabling the Relevancy feature

In order to disable the relevancy functionality follow the instructions below:

  1. Installation of Kubescape in cluster
  2. In step 3 in the instructions that appear in the link above, replace the command there with the following command
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-relevancy -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.relevancy=disable --set account=<ACCOUNT_ID> 
  1. Continue the installation instructions to completion

Removing in-cluster storage

In order to remove the in cluster storage for the relevancy follow the instructions below:

  1. Installation of Kubescape in cluster
  2. In step 3 in the instructions that appear in the link above, replace the command there with the following command
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-relevancy -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.relevancy=disable --set storage.enabled=false --set account=<ACCOUNT_ID> 
  1. Continue the installation instructions to completion