Outshift Logo

8 min read

Blog thumbnail
CN

by Pallavi Kalapatapu

Published on 06/13/2023
Last updated on 02/05/2024

KubeClarity: Runti­­­me Scanning

Share

Lean Into Software Supply Chain Security with KubeClarity Series
https://github.com/openclarity/kubeclarity

As we progress through this series, we have delved into various aspects of KubeClarity, including SBOM (Software Bill of Materials) Integration and Vulnerability Scanning. Now, it's time to take a closer look at runtime scanning. This post will explore the extensive capabilities of the KubeClarity run-time scanning feature.

Learn about KubeClarity Runtime Scan Feature
Figure-1: Learn about KubeClarity Runtime Scan Feature

Run-time scanning plays a crucial role in ensuring the security and integrity of your applications within a Kubernetes environment. It allows you to monitor and detect vulnerabilities in real time as your applications run. In addition, with KubeClarity run-time scanning, you gain valuable insights into the security posture of your Kubernetes applications post-deployment.

Kubernetes Clusters Runtime Scans

Scanning your run-time Kubernetes clusters is essential to proactively detect and address vulnerabilities in real-time, ensuring the security and integrity of your applications and infrastructure. By continuously monitoring and scanning your clusters, you can mitigate risks, prevent potential attacks, and maintain a strong security posture in the dynamic Kubernetes environment. Some of the key advantages of employing a run-time scan strategy in addition to a build-time or static analysis are:

  • Real-time threat detection
  • Rapid vulnerability identification
  • Enhanced security posture
  • Proactive risk mitigation
  • Compliance adherence
  • Comprehensive vulnerability management
  • Adaptability to dynamic environments
  • Quick response to emerging threats
  • Continuous improvement

KubeClarity Runtime Scanning Features

KubeClarity offers many impressive features that greatly enhance the runtime scanning experience. Here are some key highlights:

Faster Runtime Scans

With KubeClarity, you can enjoy significantly faster runtime scans. The scanning process is optimized, reducing the time required to detect vulnerabilities from minutes to seconds. This allows for quicker identification and remediation of potential security risks.

Eliminate the Need for Image TAR Pulling

KubeClarity employs a mechanism that eliminates the need for pulling the entire image tar. Instead, it utilizes a more efficient approach that avoids the unnecessary overhead of fetching the complete image tar.

Leverage Cached SBOMs

KubeClarity uses the cached SBOM data if an image has already been scanned, eliminating the need for time-consuming image retrieval and recomputing, improving overall efficiency.

Reduce Scan Time to Seconds

Scanning images within admission control becomes a breeze with KubeClarity. The scanning process, which previously may have taken minutes, is now significantly accelerated, with results available within seconds. This allows for real-time vulnerability assessment without causing delays or disruptions in your CI/CD pipeline. Note the run-time scanning of the Kubernetes namespaces option is available through UI and API options.

For example, when you download an image as a tarball in your KubeClarity Kubernetes cluster, the tarball contains several files and directories that make up the image. These typically include:

  1. Manifest file: This file provides metadata about the image, such as its name, version, and dependencies.
  2. Layer files: Images are usually composed of multiple layers; a separate file in the tarball represents each layer. Layers contain the filesystem changes introduced by the image.
  3. Configuration files define the image's runtime behavior, such as environment variables, exposed ports, and entry point commands.
  4. Binary files and libraries: The image may contain executable binaries and required libraries for the application or service encapsulated within the container.

When you download an image tarball, it typically fetches all the files and directories necessary to recreate the image on your Kubernetes cluster. However, it's worth noting that the actual extraction and utilization of specific files from the tarball may depend on the runtime and execution context within the cluster, which is where KubeClarity plays to its strengths.

Runtime Scan Architecture

Figure-2 illustrates the structure of a runtime scanning architecture. This layout visually represents the components and their interconnections within the runtime scanning system. By examining the figure, you can better understand how the various elements work together to facilitate the scanning process during runtime.

KubeClarity Runtime Scan Architecture
Figure-2: KubeClarity Runtime Scan Architecture

It is worth noting that the starting and stopping runtime scan option is available through UI and API but not supported by CLI.

Source Code

Find the implementation details in these runtime_scan package module and runtime_k8s_scanner module in the source code as shown in Figure-3 below:

Runtime Scan Source Code Implementation Modules
Figure-3: Runtime Scan Source Code Implementation Modules

Runtime Scan: Hands-on Instructions

Enabling Runtime Scan in KubeClarity is a straightforward process. Follow these steps:

  1. Install and configure KubeClarity on EKS or Docker.
  2. Ensure you have the necessary permissions and access to your Kubernetes cluster and the KubeClarity UI is up and running.
  3. Specify the desired runtime scanning settings, such as the frequency of scans and the scanning thresholds. (On UI)
  4. Save the settings and start the scan.
  5. KubeClarity will now start scanning your Kubernetes cluster at runtime, detecting, and addressing vulnerabilities in real-time.

By enabling runtime scans in KubeClarity, you enhance the security of your Kubernetes environment and gain valuable insights into potential vulnerabilities during the operation of your applications.

Once KubeClarity is installed, you need to configure the runtime scanning capabilities. This involves defining the scanning parameters, specifying the target workloads, and enabling the appropriate scanning modules.


Private Registries Support for Kubernetes Runtime Scan

Kubeclarity uses k8schain of Google/go-container registry for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain. For more details, check out the README.


Runtime Scanning Options On UI

Select the runtime scan options view from the navigation pane as shown in Figure-4 below:

KubeClarity Runtime Scan UI View
Figure-4: KubeClarity Runtime Scan UI View

To schedule a scan at your preferred time, click the "Schedule Scan" option in the upper right corner, as shown in Figure-5 below. This feature allows you to set a specific time for the scan, providing flexibility and control over when the scanning process initiates.

Schedule a Runtime Scan with KubeClarity UI
Figure-5: Schedule a Runtime Scan with KubeClarity UI

Upon selecting the "Schedule Scan" option, you will land on the screen shown in Figure-6. This screen offers various options for choosing a namespace for the scan. Follow this screen's instructions and available choices to select the specific namespace you wish to scan. For example, I’m selecting the “kube-system” namespace as a target for scanning.

Runtime Scan Option to Scan Namespaces
Figure-6: Runtime Scan Option to Scan Namespaces

Next, choose timing options for the scan, as shown in Figure-7 below.

Runtime Scan Options for Time and Frequency
Figure-7: Runtime Scan Options for Time and Frequency

Click the “Save” button to save the settings shown in Figure-8 below.

Runtime Scan Options for Time and Frequency_2
Figure-8: Schedule a Runtime Scan

Upon saving the scan schedule, the control returns to the main runtime scan page showing a previously completed scan or an in-progress scan if one is in progress. Currently, there is no option to browse a list of all scheduled scans. It only shows the most recent selection of a scheduled scan. There is room for improvement here to allow checking the full schedule of all pending scheduled scans.

Figure-9 presents the runtime scan view, displaying comprehensive details regarding the progress of the ongoing scan. This view offers real-time updates and insights into the scanning process, allowing you to monitor the scan's progress and track any vulnerabilities or issues detected.

Runtime Scan Progress
Figure-9: Runtime Scan Progress

Once the scan results are available, you can easily navigate the findings and address the relevant issues. If you need a refresher on navigating and resolving these vulnerabilities, refer to the detailed instructions in the previous post. Hopefully, this process has helped you uncover any overlooked vulnerabilities within your cluster.


Conclusion

KubeClarity's runtime optimization for image scanning in Kubernetes environments provides a more focused and streamlined approach to vulnerability management. By scanning only, the images downloaded into your cluster, you can reduce the bloat and improve the efficiency of your scanning process, saving valuable time and resources. You can enhance the security of your Kubernetes deployments with KubeClarity and stay one step ahead of potential threats.

Next Up

Lastly, we have the topic of CIS Benchmarks left to explore. In the next section, we will delve into the world of CIS Benchmarks and discover their significance in enhancing the security and compliance of your systems. Next, let's dive in and uncover the power of CIS Benchmarks in KubeClarity!



-------------

Pallavi Kalapatapu is a Principal Engineer and open-source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.

Subscribe card background
Subscribe
Subscribe to
the Shift!

Get emerging insights
on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

thumbnail
I
Subscribe
Subscribe
 to
the Shift
!
Get
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background