It’s no secret how popular Kubernetes (K8s), the open-source container orchestration solution, is for deploying cloud-native technologies. A 2021 survey from the Cloud Native Computing Foundation found that 5.6 million developers currently use Kubernetes, up four percent from 2020. While the rise in adoption of Kubernetes is exciting, it does raise a big concern for most DevOps teams:
“How do we ensure our Kubernetes clusters are secure?”
Security is critical for containerized applications that operate on a shared infrastructure. As organizations continue to scale their deployments on Kubernetes, the risk of misconfiguring a Kubernetes cluster only increases. In fact, Gartner estimates that through 2025, 99% of cloud breaches will have a root cause associated with customer misconfigurations or mistakes.
To help combat this massive problem in the Kubernetes landscape, we added Kubescape to our open-source marketplace. Kubescape is now available as a direct install with Plural, a free open-source Kubernetes DevOps platform that allows you to deploy Kubernetes clusters and open-source applications. This provides engineers with immediate access to risk analytics, compliance checks, and vulnerability scanning.
Kubescape is a Kubernetes open-source platform that provides a multi-cloud K8s single pane of glass, including risk analysis, security compliance, RBAC (role-based access control) visualizer, and image vulnerabilities scanning.
The open-source platform works by scanning K8 clusters, Kubernetes manifest files (YAML files, and HELM Charts), code repositories, container registries, and images. After scanning, Kubescape will detect misconfigurations according to multiple frameworks (such as the NSA-CISA, and MITRE ATT&CK.) During those scans, Kubescape will find software vulnerabilities and show RBAC violations at the early stages of the CI/CD pipeline.
Best of all, you can install Kubescape on Plural with little to no management experience necessary. Here’s what you need to know:
Before getting started with this tutorial you will need your cloud provider’s CLI installed and configured. For more information on this step please refer to our cloud provider guide and follow the provider-specific instructions.
If you haven’t done so already, create a free account on our web application. This is only to track your application installations so we can automatically upgrade the applications on your behalf. You will not be asked to provide any infrastructure credentials or sensitive information.
Next, install the Plural CLI and dependencies. Plural’s CLI can be pulled down via curl, brew, or as a prebaked Docker image. Since we’re on a Mac, we’ll use brew. If you’re not on a Mac, you can use one of these other options to pull the CLI down.
brew install pluralsh/plural/plural
Brew will install Plural, alongside terraform, helm, and kubectl for you. If you have already installed any of those dependencies yourself previously, you can add --without-helm, --without-terraform, or --without-kubectl.
Once Plural is installed in your CLI, you’ll need to set up a Git repository to store your Plural configuration. This will contain the Helm charts, Terraform config, and Kubernetes manifests that Plural will autogenerate for you.
For this step, you have two options to get up and running.
- Run plural init in any directory to let Plural initiate an OAuth workflow to create a Git repo for you
- Create a Git repo manually, clone it down, and run plural init inside it
Running plural init will start a configuration wizard to configure your Git repo and cloud provider for use with Plural. You're now ready to install Kubescape on your Plural repo.
To find the console bundle name for your cloud provider, run:
plural bundle list kubescape
Now, to add it to your workspace, run the install command. If you're on AWS, this is what the command would look like:
plural bundle install kubescape kubescape-aws
Plural's Kubescape distribution has support for AWS, GCP, and Azure, so feel free to pick whichever best fits your infrastructure.
The CLI will prompt you to choose whether you want to use Plural OIDC. OIDC allows you to log in to the applications you host on Plural with your login to app.plural.sh, acting as an SSO provider.
To generate the configuration and deploy your infrastructure, run:
plural deploy --commit "deploying kubescape"
Note: Deployments will generally take 10-20 minutes, based on your cloud provider.
To make management of your installation as simple as possible, we recommend installing the Plural Console. The console provides tools to manage resource scaling, automated upgrades, dashboards tailored to your Kubescape installation, and log aggregation. This can be done using the exact same process as above, using AWS as an example:
plural bundle install console console-aws
plural deploy --commit "deploying the console too"
Now, head over to kubescape.YOUR_SUBDOMAIN.onplural.sh to access the Kubescape UI. If you set up a different subdomain for Kubescape during installation, make sure to use that instead.
To monitor and manage your Kubescape installation, head over to the Plural Console at console.YOUR_SUBDOMAIN.onplural.sh .
If you have any issues with installing Kubescape on Plural, feel free to join our Discord community so a member of our team or community can help you out.
If you'd like to request any new features for our Kubescape installation, feel free to open an issuehere.