Kubernetes and Cloud Native Security Associate (KCSA)

Compliance and Security Frameworks

Automation and Tooling

In this lesson, we recap essential automation and tooling for cloud-native security. Throughout this course, you’ve explored multiple open source and commercial solutions. Here, we review those tools, highlight alternatives, and reference key resources such as the Cloud Native Security Whitepaper by SIG Security.

The image is a cover for the "Cloud Native Security Whitepaper" by TAG Security, featuring a blue abstract background and a list of contributors and reviewers.

The Cloud Native Security Whitepaper provides foundational guidance authored by industry experts. To interactively explore security tools mapped to each phase of the application lifecycle, visit the Cloud Native Security Map:

The image is a cover for a "Cloud Native Security Whitepaper" featuring a "Cloud Native Security Map," which serves as a guide for navigating the cloud native security landscape. It includes sections on development, distribution, deployment, runtime, security assurance, and compliance.

Note

Explore the interactive map at cnsmap.netfly.app to discover security tools and best practices organized by Develop, Distribute, Deploy, and Runtime phases.


Development Phase

The Develop phase emphasizes “shift-left” testing by integrating security early in code, Dockerfile, and infrastructure-as-code creation. Commit artifacts to repositories (GitHub, GitLab, etc.) with automated checks to:

  • Block high-severity vulnerabilities when fixes exist
  • Enforce non-root container execution
  • Restrict allowed base images

The image is a diagram illustrating a software development process, highlighting stages like coding, committing, distributing, deploying, and runtime, with an emphasis on "Shift-Left" for early testing and integration.

Fuzz Testing with OSS-Fuzz

Google’s [OSS-Fuzz][oss-fuzz] automates fuzz testing of open source projects to discover crashes and undefined behavior.

def parse_integer(input_string):
    try:
        return int(input_string)
    except ValueError:
        return "Error: Not a valid integer"

Below is a simple fuzz harness for parse_integer:

import random, string

def generate_random_string(length=10):
    charset = string.ascii_letters + string.digits + string.punctuation
    return ''.join(random.choice(charset) for _ in range(length))

def fuzz_test_parse_integer(iterations=10):
    for _ in range(iterations):
        rand_in = generate_random_string(random.randint(1, 20))
        print(f"Testing: '{rand_in}' -> {parse_integer(rand_in)}")

fuzz_test_parse_integer()

Example output:

Testing: '@123$%' -> Error: Not a valid integer
Testing: '87ab1' -> Error: Not a valid integer
Testing: '' -> Error: Not a valid integer
Testing: '42' -> 42

IDE & CLI Security Extensions

  • [Snyk VS Code Extension][snyk-vscode]
  • Fabricate by Red Hat (VS Code plugin)
  • [kube-linter][kube-linter] – Scan Kubernetes YAML:
kube-linter lint pod.yaml

Distribution Phase

In the Distribute phase, CI/CD pipelines build, test, and push container images to registries. Common tools include:

CI/CD Pipeline ToolUse Case
TektonKubernetes-native pipelines
JenkinsExtensible automation server
Travis CICloud-hosted continuous testing
CircleCIContainer-based CI
Flux CDGitOps continuous delivery
Argo CDDeclarative GitOps controller

Before building images, enforce policy compliance on manifests:

  • [KubeSec][kubesec] scans Kubernetes YAML for misconfigurations.
  • TeraScan validates IaC (Terraform, Dockerfile, Helm, CloudFormation) against CIS, NIST, GDPR, HIPAA.
Violation Details =
  Description: [Enabling S3 versioning allows easy recovery]
  file: modules/s3/main.tf
  Severity: 101
  Rule ID: AWS.S3Bucket.IAM.High.0370

Warning

Always validate manifests before image builds to prevent deployment of insecure configurations.

After validation, build and scan images:

ScannerScopeExample Command
TrivyContainer images, filesystems, Git repostrivy image myapp:latest
ClairStatic image analysis via APIAPI integration
GrypeImages & filesystem scanninggrype myimage:tag
NucleiCustom checks via YAML templatesnuclei -t templates/

To secure the software supply chain, use signing frameworks:

  • [in-toto][in-toto] – End-to-end supply chain security
  • [Notary][notary], [TUF][tuf], [Sigstore][sigstore]

The image is a diagram illustrating a software development and distribution pipeline, featuring tools for build pipelines, app tests, container manifests, security tests, signing/trust, and container registry. It includes logos of various tools like Tekton, Jenkins, Trivy, and Dockerhub, organized under different stages from development to deployment.


Deployment Phase

The Deploy phase covers pre-flight checks, observability, and incident response:

  • Pre-flight Checks

    • [OPA Gatekeeper][gatekeeper] – Policies in Rego
    • [Kyverno][kyverno] – YAML-based policy management
  • Observability

    • [Prometheus][prometheus] + [Grafana][grafana]
    • [Elasticsearch][elasticsearch] + [Kibana][kibana]
    • [OpenTelemetry][otel]
  • Response & Investigation

    • [Wazuh][wazuh]
    • [Snort][snort]
    • [Zeek][zeek]

The image illustrates a software development and deployment process, highlighting tools for pre-flight checks, observability, and response & investigation, with a dashboard showing incident response data.


Runtime Phase

Once applications are live, enforce continuous security and reliability:

  • CIS Benchmarking
    • [kube-bench][kube-bench] – CIS checks for Kubernetes clusters:
[FAIL] 1.1.1 Ensure --allow-privileged is false
[PASS] 1.1.2 Ensure --anonymous-auth is not set
  • Runtime Security

    • Falco – System call monitoring
    • Trivy – Continuous workload scanning
    • SPIFFE – Workload identity via certificates
  • Service Mesh

    • Istio, Linkerd
  • Storage Orchestration

    • Rook, Ceph, Gluster
  • Access Management

    • Keycloak, Teleport, HashiCorp Vault

The image is a categorized list of DevOps tools used for development, distribution, and deployment processes, including sections for build pipelines, security tests, observability, and more. Each category contains specific tools like Jenkins, Prometheus, and Istio.


Summary

Map these tools to your cloud-native lifecycle for improved security and efficiency:

  • Develop: Shift-left scanners & IDE plugins
  • Distribute: CI/CD pipelines, manifest & image scanners, signing frameworks
  • Deploy: Policy enforcement, observability, incident response
  • Runtime: Continuous monitoring, service mesh, access & storage management

  • OSS-Fuzz: https://github.com/google/oss-fuzz
  • Snyk VS Code Extension: https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner
  • kube-linter: https://github.com/stackrox/kube-linter
  • KubeSec: https://github.com/controlplaneio/kubesec
  • in-toto: https://github.com/in-toto/in-toto
  • Notary: https://github.com/theupdateframework/notary
  • The Update Framework (TUF): https://theupdateframework.io/
  • Sigstore: https://sigstore.dev/
  • OPA Gatekeeper: https://github.com/open-policy-agent/gatekeeper
  • Kyverno: https://kyverno.io/
  • Prometheus: https://prometheus.io/
  • Grafana: https://grafana.com/
  • Elasticsearch: https://www.elastic.co/elasticsearch
  • Kibana: https://www.elastic.co/kibana
  • OpenTelemetry: https://opentelemetry.io/
  • Wazuh: https://wazuh.com/
  • Snort: https://www.snort.org/
  • Zeek: https://zeek.org/
  • kube-bench: https://github.com/aquasecurity/kube-bench
  • Tekton: https://tekton.dev/
  • Jenkins: https://www.jenkins.io/
  • Travis CI: https://travis-ci.org/
  • CircleCI: https://circleci.com/
  • Flux CD: https://fluxcd.io/
  • Argo CD: https://argo-cd.readthedocs.io/
  • Docker Hub: https://hub.docker.com/
  • Harbor: https://goharbor.io/
  • GitHub Container Registry: https://github.com/features/packages
  • Nexus Repository: https://www.sonatype.com/product-nexus-repository

Watch Video

Watch video content

Previous
Supply Chain Compliance