Kubernetes Security Scanning - The 4 Tools You Actually Need

Learn to implement a standardized security scanning stack for Kubernetes clusters using four essential industry-standard tools. Navigate through the noisy CNCF landscape to identify and deploy the most effective security tools for day-two operations. Master KubeBench for CIS benchmark compliance checking, KubeHunter for red team penetration testing to identify vulnerabilities and backdoors, Sonobuoy for official CNCF conformance testing to ensure API correctness and interoperability, and Syft & Grype for generating Software Bill of Materials (SBOM) and scanning container images for CVEs including critical vulnerabilities like log4j. Practice running security scans manually using CLI tools and Kubernetes manifests, then discover how to automate the entire security scanning process using Spectro Cloud Palette to transform complex security operations into simple toggle-based configurations. Analyze scan results, generate comprehensive reports in PDF and CSV formats, and explore API access for exporting audit data to integrate with existing security workflows.

Syllabus

- Intro: Keeping your cluster secure Day 2 and beyond
- The problem with the CNCF Landscape Too much noise
- The Security Stack: Selecting the right tools
- Tool 1: KubeBench CIS Benchmarks & Hygiene
- Tool 2: KubeHunter Red Teaming/Offensive
- Tool 3: Sonobuoy Conformance & Interoperability
- Tool 4: Syft & Grype Supply Chain & SBOMs
- Demo: Running scans manually with CLI & Manifests
- Analyzing KubeHunter results
- Generating an SBOM with Syft
- Demo: Automating security scans with Palette
- Reviewing the automated reports PDF/CSV
- API Access & Exporting Audit Data