This is a really cool project! Great work.

I'm starting to learn about the project. I've tried scanning some test K8s clusters and found that the online scanner just crashes when it lacks permissions to perform certain functions or enumerate objects.

Is there a feature or a plan to support operation under limited permission accounts, perhaps using input parameters? Error handling to continue during failures would also be helpful.

it will allow easy updating of the app for mac users

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
ARMO security scanner starting
[progress] Downloading/Loading framework definitions
Get "https://dashbe.eustage2.cyberarmorsoft.com/v1/armoFrameworks?customerGUID=11111111-1111-1111-1111-111111111111&frameworkName=NSA&getRules=true": read tcp 10.1.104.57:54222->52.30.122.163:443: read: connection reset by peer

And

kubescape download framework nsa --output nsa.json
Error: Get "https://dashbe.eustage2.cyberarmorsoft.com/v1/armoFrameworks?customerGUID=11111111-1111-1111-1111-111111111111&frameworkName=NSA&getRules=true": read tcp 10.1.104.57:54240->52.30.122.163:443: read: connection reset by peer
Usage:
  kubescape download framework <framework-name> [flags]

Flags:
  -h, --help                                        help for download
  -o, --output ~/.kubescape/<framework name>.json   Output file. If specified, will store save to ~/.kubescape/<framework name>.json

Seems the check "non-root containers" is broken as it flags containers running as non-root as well.

Looks like the wording is also wrong:

Description: Potential attackers may gain access to a container and leverage its privileges to conduct an attack. Hence it is not recommended to deploy containers without root privileges unless it is absolutely necessary.

"Hence it is not recommended to deploy containers without root privileges" ? Looks reversed.

Hi.

I noticed that you only print failed resources.

I think there is even a larger benefit of printing passed resources (and even better - along with the passed settings next to them) as well because there are the ones setup correctly hence the ones to observe and learn from ...

Not all of the settings come from within the organization - some settings come from external vendors for their systems so we can't keep track of everything ...

Regards,

Setup

-kind 1.21 cluster kind create cluster
-Standard pod run with kubectl run -it testtools2 --image=raesene/alpine-containertools /bin/bash
-run kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

In the results I got :-

[control: Allow privilege escalation] passed 👍
Description: Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Summary - Passed:2   Failed:0   Total:2

Is this control checking for allowPrivilegeEscalation in the pod manifest? If so, I think this check should have failed as the default for Kubernetes is to allowPrivilegeEscalation unless it's specified in the pod/container securityContext.

When I try to install with go I get the following error:

$ go install github.com/armosec/kubescape@latest
go: downloading github.com/armosec/kubescape v0.0.38
go install: github.com/armosec/kubescape@latest: github.com/armosec/[email protected]: parsing go.mod:
	module declares its path as: kube-escape
	        but was required as: github.com/armosec/kubescape

Couldn't find an option to delete cluster from https://portal.armo.cloud/ .

Hello! I'm comparing the output from the command and the JSON and while the "Failed Resources" is easy to match to the "ruleResponses" in the JSON for each rule report, I don't seem to find anything in the JSON that can help me define the "All resources" total in order to map it similarly to the tool's "% Success" metric, specially since for each report in "controlReports" this total can vary.

It works fine to get the responses, but I was wondering how could I get that "all resources" value for each report from the JSON. Any tip will help!

The issue #87 is marked as fixed and sudo dependencies were supposedly addressed. However, the latest install script still has bugs and is unable to install kubescape. Seems the script bails out midway and not complete the installation cleanly. Please refer the screenshot below.

Hi,
it would be super useful to be able to download an official Kubescape container image from Docker Hub. It shouldn't be hard as it is documented in https://docs.github.com/en/actions/publishing-packages/publishing-docker-images

Thx!

JSON format commands are not working in GITLAB

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format json --output results.json

Im not getting the output as json file. It's still showing me the same normal output.

Also when i tried in local, the json format is not coming in a correct way.

@dwertent

Kubescape uses today pure K8s API to look for security issues.

The next step will be to look on data coming outside K8s API like:

• Etcd encryption configuration
• API server configuration
• CNI information

Kubescape needs to be able to retrieve the description of a AKS cluster from Azure API to evaluate it.

https://docs.microsoft.com/en-us/rest/api/aks/managed-clusters/get#managedcluster

Need to implement a function returning this information for the cluster configured in the active context in ".kube/config"

Hey guys!

Neat tool, thank you! :)

I've started dabbling with it, and the first issue that I encountered is that it doesn't seem to be possible to use a non-default kubeconfig path. I.e, in my setup, I use multiple kubeconfig files via the KUBECONFIG env var:

❯ env | grep KUBE
KUBECONFIG=/Users/davidy/.kube/config:/Users/davidy/.kube/prod-config:/Users/davidy/.kube/dev-config:/Users/davidy/.kube/kubeconfig:/Users/davidy/.kube/multipass-config

However, kubescape doesn't seem to use the value of KUBECONFIG, and I couldn't find a commandline argument to explicitly specify it.

A --kubeconfig argument, and a reference to the KUBECONFIG env var would be much appreciated!

Cheers!
D

Kubescape uses today pure K8s API to look for security issues.

The next step will be to look on data coming outside K8s API like:

• Etcd encryption configuration
• API server configuration
• CNI information

Kubescape needs to be able to retrieve the description of a EKS cluster from AWS API to evaluate it.

https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html#API_DescribeCluster_ResponseSyntax

Need to implement a function returning this information for the cluster configured in the active context in ".kube/config"

Hi, I would like to periodically run this application on my CI, but currently, no matter the result, it always returns a 0 exit code. This means I would need to manually check every time for problems. Maybe it can be made configurable (a --fail flag) so it returns an exit code != 0 when any of the checks are not fully passed. This way the CI will fail, alerting that something is not compliant in the cluster.

Is there an alternate way to get nsa definitions?
I'm trying to run kubescape behind a firewall with no internet access

$ ./kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
ARMO security scanner starting
[progress] Downloading framework definitions
Could not download framework, please check if this framework exists

curl is an insecure pattern for downloading dependencies/tools.

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

https://about.codecov.io/security-update/

Why not make a release with GitHub and have instructions to download with gpg signed releases? Also go install is another way to install this tool.

Hello,

kubescape framework download nsa is broken since dashbe.auprod1.cyberarmorsoft.com don't exist.

Hi.

Is there a flag for returning a list of supported frameworks?

I noticed that the docs only refer to "nsa" and I couldn't find a way to make the tool print a full list of frameworks.

Regards,

Tried installing kubescape on local Jenkins container but there seems to be an issue with installation based on steps mentioned. Similar issue encountered when we tried installing kubescape in our Azure cloud account using Azure shell. (screenshots below)

Please advise on this.

I'm stuck with this error Failed to load kubernetes config: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable. Setting the env var KUBERNETES_MASTER or KUBE_CONFIG_PATH does not change anything, what am I missing ?

The following error occurred while running kubescape.
I'm curious as to why the error occurred and how to fix it.
(I ran kubescape inside the pod after dockerizing.)

/ # kubescape scan framework nsa --use-default
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1616eed]

goroutine 1 [running]:
github.com/armosec/kubescape/cautils/k8sinterface.GetDefaultNamespace(0x1b8a1c0, 0xc00012b0b0)
/home/runner/work/kubescape/kubescape/cautils/k8sinterface/k8sconfig.go:111 +0x8d
github.com/armosec/kubescape/cautils.NewClusterConfig(...)
/home/runner/work/kubescape/kubescape/cautils/customerloader.go:72
github.com/armosec/kubescape/cmd.CliSetup(0x2ba9800, 0x3)
/home/runner/work/kubescape/kubescape/cmd/framework.go:124 +0x607
github.com/armosec/kubescape/cmd.glob..func10(0x2b90ec0, 0xc0003119a0, 0x1, 0x2, 0x0, 0x0)
/home/runner/work/kubescape/kubescape/cmd/framework.go:73 +0x1a5
github.com/spf13/cobra.(*Command).execute(0x2b90ec0, 0xc000311980, 0x2, 0x2, 0x2b90ec0, 0xc000311980)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x472
github.com/spf13/cobra.(*Command).ExecuteC(0x2b8ffc0, 0x0, 0x19a22a0, 0xc000046118)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/armosec/kubescape/cmd.Execute(...)
/home/runner/work/kubescape/kubescape/cmd/root.go:16
main.main()
/home/runner/work/kubescape/kubescape/main.go:12 +0x36

I have seen the examples, but I do not understand how the exceptions work.
Can some application scenarios please be explained ?

Resulting file becomes xxx.json.json despite following example from README.

Using v1.0.77 on AmazonLinux against an EKS cluster.

$ /usr/local/bin/kubescape scan framework nsa \
>     --exclude-namespaces kube-system,kube-public \
>     --output /home/ec2-user/.kubescape/kubescape-output-1631806382.json \
>     --format json
ARMO security scanner starting
[progress] Downloading/Loading framework definitions
[success] Downloaded/Loaded framework
[progress] Accessing Kubernetes objects
W0916 15:36:29.119889   16482 warnings.go:70] batch/v1beta1 CronJob is deprecated in v1.21+, unavailable in v1.25+; use batch/v1 CronJob
[success] Accessed successfully to Kubernetes objects, let’s start!!!
[progress] Scanning cluster 
◑ [success] Done scanning cluster

$ ls -la ~/.kubescape
total 92
drwxr-xr-x 2 ec2-user ec2-user    67 Sep 16 15:36 .
drwx------ 9 ec2-user ec2-user   298 Sep 16 15:34 ..
-rw-r--r-- 1 ec2-user ec2-user 22195 Sep 16 15:36 kubescape-output-1631806382.json.json
-rw-r--r-- 1 ec2-user ec2-user 67683 Sep 16 15:36 nsa.json

Kubescape uses today pure K8s API to look for security issues.

The next step will be to look on data coming outside K8s API like:

• Etcd encryption configuration
• API server configuration
• CNI information

Kubescape needs to be able to retrieve the description of a GKE cluster from GCP API to evaluate it.

https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster

Need to implement a function returning this information for the cluster configured in the active context in ".kube/config"

I'm checking SHASUMs as part of my process which pulls in the kubescape tool for testing of one of my clusters, and I've noticed they seem to be changing.

Would it be possible to update the release process to not mutate release binaries?

after running:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
ran into the following error:
: exec format error: kubescape

It is not possible to find out result summary number when --format junit is used. It is needed ie for adjusting --fail-threshold accordingly.
Please consider showing the summary number in console 🙏

Thx!

I'd like the ability to use wildcards in my exceptions.json. For example, If I have a resource called common-cg922ccb87, cg922ccb87 is a nondeterministic unique identifier. I need to exclude the resource, but I have no way of specifying the exact name of the resource.

Full example:

exceptions.json

[
  {
    "name": "ignore-applications-credentials-in-configuration-files",
    "policyType": "postureExceptionPolicy",
    "actions": [
      "alertOnly"
    ],
    "resources": [
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "ConfigMap",
          "name": "common-.*"
        }
      }
    ],
    "posturePolicies": [
      {
        "frameworkName": "NSA",
        "ruleName": "rule-credentials-configmap"
      }
    ]
  }
]

its quite difficult to debug what is wrong because the actual rules are not visible anywhere?

for instance I have failing rule "Automatic mapping of service account" but automountServiceAccountToken: false at least does not solve that.

Then "Linux hardening" I assume that this is something related like selinux or similar? But it would be nice to have somekind of documentation how to solve these "tests" or then publish the actual tests as well.

In the about for the main repo, the link to nsa.gov takes you to a 404 page not found (also in the main README).

About
kubescape is the first tool for testing if Kubernetes is deployed
securely as defined in Kubernetes Hardening Guidance by to
NSA and CISA (https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)

After dockerizing, I wanted to run kubescape in my application on a pod.
The image I used is alpine:3.13. However, when I run kubescape in the application, the output is as follows.

ash: kubescape: not found

I searched and found that it was due to a missing interpreter when building the binary([Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]). Considering this, can't we build a binary at the time of release?

I'm working on a custom build of kubescape which can be installed using Homebrew. The scan is working and is showing results in the cli. However, the results are not visible at https://portal.armo.cloud.

I've also executed kubescape config cluster set customerGUID=<guid> beforehand. I'm using the following ldflags.

  def install
    ldflags = %W[
      -s -w
      -X github.com/armosec/kubescape/cmd.BuildNumber=v#{version}
      -X github.com/armosec/kubescape/cautils/getter.ArmoBEURL=api.armo.cloud
      -X github.com/armosec/kubescape/cautils/getter.ArmoERURL=report.armo.cloud
      -X github.com/armosec/kubescape/cautils/getter.ArmoFEURL=portal.armo.cloud
    ].join(" ")

I try to execute kubescape.

Initially, the execution was performed normally.
However, at some point, the following message is displayed and the execution is not executed.

ARMO security scanner starting
[progress] Downloading/Loading framework definitions

Kind: Framework, Name: nsa, error: Get "": unsupported protocol scheme ""

Why? Do you know why?

Hi.

I noticed that the tool requires downloading extra files to work.

Can I somehow download them offline and make them accessible to the tool?

I want to run it in an environment without internet access.

Regards,

When running a cluster with v1.0..88 and using the flag --exclude-namepaces "kube-system,kube-public" the scan results are still showing this namespaces under the [control: Network policies] section.

kubescape scan framework --exclude-namespaces "kube-system,kube-public" \ -t 80 \ -o cluster-scan.log nsa

kubescape flagged the following for me:

[control: Applications credentials in configuration files] failed 😥
Description: Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.
   Namespace vault
      StatefulSet - cluster-vault
      ConfigMap - istio-ca-root-cert
      ConfigMap - kube-root-ca.crt

Now the Istio certs I understand and don't care about, but I'm unsure what the credential referenced by the cluster-vault statefulset is. Here's my statefulset spec:

spec:
  podManagementPolicy: OrderedReady
  replicas: 3
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
      vault_cr: cluster-vault
  serviceName: ""
  template:
    metadata:
      annotations:
        post.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--unfreeze", "/vault/file/"]'
        post.hook.backup.velero.io/container: velero-fsfreeze
        pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/vault/file/"]'
        pre.hook.backup.velero.io/container: velero-fsfreeze
        prometheus.io/path: /metrics
        prometheus.io/port: "9102"
        prometheus.io/scrape: "true"
        vault.banzaicloud.io/tls-expiration-date: "2022-08-13T01:01:57Z"
        vault.banzaicloud.io/vault-config: 4ec986d4017ab76183972683a716b881fe599a89508ba3100b7ba6a7f366cf9f
      creationTimestamp: null
      labels:
        app.kubernetes.io/name: vault
        vault_cr: cluster-vault
    spec:
      affinity: {}
      automountServiceAccountToken: true
      containers:
      - args:
        - server
        env:
        - name: VAULT_K8S_POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: VAULT_LOG_LEVEL
          value: debug
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              key: AWS_ACCESS_KEY_ID
              name: aws-credentials
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              key: AWS_SECRET_ACCESS_KEY
              name: aws-credentials
        image: redacted/vault:1.8.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /v1/sys/init
            port: https-api-port
            scheme: HTTPS
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: vault
        ports:
        - containerPort: 8201
          name: cluster-port
          protocol: TCP
        - containerPort: 8300
          name: external-port
          protocol: TCP
        - containerPort: 8280
          name: http-api-port
          protocol: TCP
        - containerPort: 8200
          name: https-api-port
          protocol: TCP
        readinessProbe:
          failureThreshold: 2
          httpGet:
            path: /v1/sys/health?standbyok=true&perfstandbyok=true&drsecondarycode=299
            port: https-api-port
            scheme: HTTPS
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: "2"
            memory: 512Mi
          requests:
            cpu: 1m
            memory: 256Mi
        securityContext:
          capabilities:
            add:
            - IPC_LOCK
            - SETFCAP
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /vault/config
          name: vault-config
        - mountPath: /vault/raft
          name: vault-raft
        - mountPath: /vault/tls
          name: vault-tls
      - args:
        - --pre-flight-checks
        - "true"
        - --mode
        - k8s
        - --k8s-secret-namespace
        - vault
        - --k8s-secret-name
        - cluster-vault-unseal-keys
        - --k8s-secret-labels
        - app.kubernetes.io/name=vault,vault_cr=cluster-vault
        command:
        - bank-vaults
        - unseal
        - --init
        - --auto
        - --raft
        - --raft-leader-address
        - https://cluster-vault:8200
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: VAULT_ADDR
          value: https://127.0.0.1:8200
        - name: VAULT_CACERT
          value: /vault/tls/ca.crt
        image: redacted/bank-vaults:1.13.1
        imagePullPolicy: IfNotPresent
        name: bank-vaults
        ports:
        - containerPort: 9091
          name: metrics
          protocol: TCP
        resources:
          limits:
            cpu: "5"
            memory: 64Mi
          requests:
            cpu: 1m
            memory: 64Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /vault/tls
          name: vault-tls
      - args:
        - --statsd.mapping-config=/tmp/statsd-mapping.conf
        image: redacted/statsd-exporter:v0.12.2
        imagePullPolicy: IfNotPresent
        name: prometheus-exporter
        ports:
        - containerPort: 9125
          name: statsd
          protocol: UDP
        - containerPort: 9102
          name: prometheus
          protocol: TCP
        resources:
          limits:
            cpu: 500m
            memory: 32Mi
          requests:
            cpu: 1m
            memory: 16Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /tmp/
          name: statsd-mapping
      - command:
        - /bin/bash
        - -c
        - sleep infinity
        image: redacted/debian:10-slim
        imagePullPolicy: IfNotPresent
        name: velero-fsfreeze
        resources:
          limits:
            cpu: 50m
            memory: 32Mi
          requests:
            cpu: 50m
            memory: 32Mi
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /vault/raft
          name: vault-raft
      dnsPolicy: ClusterFirst
      initContainers:
      - command:
        - template
        - -template
        - /tmp/vault-config.json:/vault/config/vault.json
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: VAULT_LOG_LEVEL
          value: debug
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              key: AWS_ACCESS_KEY_ID
              name: aws-credentials
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              key: AWS_SECRET_ACCESS_KEY
              name: aws-credentials
        image: redacted/bank-vaults:1.13.1
        imagePullPolicy: IfNotPresent
        name: config-templating
        resources:
          limits:
            cpu: "2"
            memory: 512Mi
          requests:
            cpu: 1m
            memory: 256Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /vault/config
          name: vault-config
        - mountPath: /vault/raft
          name: vault-raft
        - mountPath: /tmp
          name: vault-raw-config
        - mountPath: /vault/tls
          name: vault-tls
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
      serviceAccount: vault
      serviceAccountName: vault
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: cluster-vault-statsd-mapping
        name: statsd-mapping
      - emptyDir:
          medium: Memory
          sizeLimit: 1Mi
        name: vault-config
      - name: vault-raw-config
        secret:
          defaultMode: 420
          secretName: cluster-vault-raw-config
      - name: vault-tls
        secret:
          defaultMode: 420
          secretName: cluster-vault-tls
  updateStrategy:
    type: RollingUpdate
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      creationTimestamp: null
      name: vault-raft
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: topolvm-provisioner
      volumeMode: Filesystem
    status:
      phase: Pending
status:
  collisionCount: 0
  currentReplicas: 3
  currentRevision: cluster-vault-55dd98fc9c
  observedGeneration: 1
  readyReplicas: 3
  replicas: 3
  updateRevision: cluster-vault-55dd98fc9c
  updatedReplicas: 3

Where are the alleged application credentials hiding? :)

Thanks!
D

Hi It would be nice to have a more detailed help message.
Would be more easy to understand the syntax and available option for kubescape.
Currently only

kubescape --help
Usage of kubescape:
  -alsologtostderr
    	log to standard error as well as files
  -kubeconfig string
    	Paths to a kubeconfig. Only required if out-of-cluster.
  -log_backtrace_at value
    	when logging hits line file:N, emit a stack trace
  -log_dir string
    	If non-empty, write log files in this directory
  -logtostderr
    	log to standard error instead of files
  -stderrthreshold value
    	logs at or above this threshold go to stderr
  -v value
    	log level for V logs
  -vmodule value
    	comma-separated list of pattern=N settings for file-filtered logging

A list of available framework would be nice.

The default output is printed in a pretty "console friendly" manner. But can we retrieve them in JSON format for further processing.

The following command is throwing error -

kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

ERROR:
-bash: /usr/local/bin/kubescape: cannot execute binary file: Exec format error

I checked cluster with new kubescape - it shows that there are no subPath feature, but after grep configs I saw a lot places with subPath - I tried to see a rule in https://{x}.{y}.cyberarmorsoft.com/v1/armoFrameworks?customerGUID=11111111-1111-1111-1111-111111111111&getRules=true&frameworkName=NSA but did not see anything about this CVE

I want to preface this issue as, I think kubescape is a pretty nice and nifty tool. It's especially useful for finding misconfigurations in k8s clusters, pods, containers, etc. But, I also want to say that --results-locally should not be opt-in. If you want to provide a consulting tool that people can use as a pipeline for professional services, fine, but do not mask the tool behind such behavior after the fact.

Every single person that executes this tool with kubescape scan framework nsa effectively uploads all their cluster vulnerabilities and issues to ARMO. The fact that someone has to open an issue with a poor default makes me question the actual motivations and desires of ARMO.

The default of this tool being opt-in should be a lesson to anyone using this tool and any other future open source tools that scan systems for security.

Kubescape uses today pure K8s API to look for security issues.

The next step will be to look on data coming outside K8s API like:

• Etcd encryption configuration
• API server configuration
• CNI information

First step for Kubescape to find these information is to identify which kind of cluster it is scanning:

• Native Kubernetes
• EKS
• GKE
• AKS
• Openshift

We need to have a function returning the type of cluster, here is a prototype proposal:

func GetKubernetesType() K8sType

Iam trying to build a docker image from the code which is existing now. Below one is the dockerfile

FROM golang:1.12.0-alpine3.9
RUN mkdir /app
COPY go.* ./
RUN go mod download
COPY . ./
RUN go build -o kubescape .
CMD ["/app/main"]

But iam getting the below error when iam trying to build kubescape. Do we have any workaround this.

#8 0.383 main.go:5:2: cannot find package "kube-escape/cautils" in any of:
#8 0.383 /usr/local/go/src/kube-escape/cautils (from $GOROOT)
#8 0.383 /go/src/kube-escape/cautils (from $GOPATH)
#8 0.383 main.go:6:2: cannot find package "kube-escape/cautils/k8sinterface" in any of:
#8 0.383 /usr/local/go/src/kube-escape/cautils/k8sinterface (from $GOROOT)
#8 0.383 /go/src/kube-escape/cautils/k8sinterface (from $GOPATH)
#8 0.383 main.go:7:2: cannot find package "kube-escape/inputhandler/clihandler" in any of:
#8 0.383 /usr/local/go/src/kube-escape/inputhandler/clihandler (from $GOROOT)
#8 0.383 /go/src/kube-escape/inputhandler/clihandler (from $GOPATH)
#8 0.383 main.go:9:2: cannot find package "kube-escape/opaprocessor" in any of:
#8 0.383 /usr/local/go/src/kube-escape/opaprocessor (from $GOROOT)
#8 0.383 /go/src/kube-escape/opaprocessor (from $GOPATH)
#8 0.383 main.go:10:2: cannot find package "kube-escape/policyhandler" in any of:
#8 0.383 /usr/local/go/src/kube-escape/policyhandler (from $GOROOT)
#8 0.383 /go/src/kube-escape/policyhandler (from $GOPATH)
#8 0.383 main.go:11:2: cannot find package "kube-escape/printer" in any of:
#8 0.383 /usr/local/go/src/kube-escape/printer (from $GOROOT)
#8 0.383 /go/src/kube-escape/printer (from $GOPATH)

It will be much more easy to add automatic tool setup when version is aligned with semver
betav1.0.41 -> v1.0.41-beta | 1.0.41-beta