 Hello, everyone, and welcome to this CNCF webinar. And today I'm excited to introduce Cubescape 3.0, which is a significant advancement in open-source Kubernetes security posture management. And let's dive into what makes this release so special. So before we get started, a quick introduction. My name is Gal Ghibli, and I'm the open-source product manager at Armo. And I'm deeply involved in the development of Cubescape, and I also have a background in DevOps for a few years. So feel free to connect me on LinkedIn, and I'm always open to have a conversation. What's our agenda for today? So our agenda for today includes an in-depth introduction to Cubescape 3.0. We are going to have also a live demo for the CLI, a detailed look at some highlights of Cubescape 3.0, and some information about what's coming next, which is very important also. So Cubescape 3.0. Cubescape 3.0 represents a significant leap in the Kubernetes security posture management. It leverages automation tools to identify and resolve security misconfigurations and compliance issues across all Kubernetes components. And today we'll be exploring its new additions, including scan results as CRDs, CVE scanning from CLI, comprehensive vulnerability results, and much, much more. So a quick intro to Cubescape and its history. Cubescape was launched in 2021 as a tool for validating a cluster against the NSA hardening guidance. It was released, it was issued just a month earlier. Fast forward to 2022, Cubescape is the leading open source project for Kubernetes security, and it was accepted as a CNCF sandbox project. Fast forward again to 2023, and here we are now. So what we will do next is I'll walk you through a live demo showcasing how these new features work in real time and how they can be as a benefit for your Kubernetes security posture. Let's start with the in-cluster component, which will lead us ahead in this demo. So following this documentation, we are going to install the Cubescape in-cluster component. You may notice that you may notice that at the end of the snippet, I have the set capabilities argument, and this is used to determine which capabilities that we talked about before would be enabled or disabled according to your needs. So you can enable or disable, for instance, configuration scan or node scan and the reachability and many more capabilities. So let's start with the in-cluster component, which will lead us ahead in this demo. So following this documentation, we're going to install the Cubescape in-cluster component, and you may see that in this code snippet, I have the set capabilities continuous scan to enable, and this is used to determine which capabilities will be enabled or disabled according to your needs, as we talked before about the capabilities. So you can enable or disable configuration scan, node scan, reachability and many more capabilities. So after I've installed the in-cluster component and the first scan was already done for me as I set the scan capability to enable, I can now view the results fairly easy using the following commands. For instance, let's look at the list of workload configuration summaries. So if I run this command, I get the full list of all the configuration summaries, objects that I now have using Cubescape, and let's say that I want to examine this one specifically. So I'm going to look at the detailed view of this workload configurations scan. So I can just take this, put it right here at the namespace, and I get the full report of that workload, including all the controls that ran against this workload, and of course what is the result if it's passed or in this instance failed. The same can be done with the vulnerability manifest summaries in order to take some of the detailed views. So I can just get this, put this right here at the namespace, and just go to describe. And I will get a detailed view of this specific image of vulnerability scan. So I have too high, I have 50 low, and so on and so on. So you see that how easy it is for open source users now to consume the info that Cubescape collects without building and maintaining your own dashboard. So that's the first thing that I would like to show you. Moving on, we are going to talk about the Cubescape 3.0 CLI version. So I'm going to install it with the command right here, and I'm going to run this. Now I want to start with showing you the new looks of the reports provided by Cubescape. So it's very easy to get using with Cubescape scan. So the Cubescape scan command will now run and scan against my current context cluster. I have a cluster up and running with Kubernetes Goat, which is a deliberately vulnerable project on that cluster. So as soon as the scan is finished, I actually want to focus for a second on this last part right here. Yeah, this last part right here, which is actually the what now section. So here it's important to say that we not only provide you with lots of data, we also want to suggest what are the next steps that you should take in order to get your cluster to the highest security level to improve your security posture. So you can scan a specific workload, you may scan images, or you may scan for specific controls to get more information about how this control affects your environment. Now, scrolling up just a bit, we see the highest take workloads, which are actually the workloads that Cubescape identified as the most riskiest in your environment. So in terms of prioritization, you should start with those workload first. And the easy way is just run the command offered by Cubescape and go over the results. It's like so easy, right? So now imagine that you implement these capabilities in a CI pipeline and including the image scanning using the Cubescape CLI or even implementing an easy to use GitHub action that we also provide. So it makes things a lot easier to set gates and fail the pipeline if something doesn't look right in terms of vulnerabilities, controls, compliance, and so on. And this is the result. This is the scan for that specific workload that we just asked for. So we have the controls, different controls that failed on this workload and also the summary of the vulnerabilities for that workload. And if you want to run and scan this specific image, we can do it with this command right here. Again, the what's next is a very important step. So let's see what else this report has to say about our security posture. So you can see right here, I have the compliance score according to NSA and MITRE. And you can see at the top that we've divided the controls into sections. So it will be easier to spot the issues in every section. So we have the controls for workloads level, we have the network level, the control plane. So we cover what you need to know and each one of these also has a verbose mode to see more detailed results every time. I can also run a specific control scan using Cubescape Scan Control, and it will show me this control for my entire environment. And of course, we also preserved the easy to use command in order to scan the data. In order to scan for a specific framework like the NSA, the MITRE and the CAS if you want to. So we were talking about scanning images and I want to show you how easy that is right now. So you just use the Cubescape Scan image and the image name and you will get a report for that image with all the vulnerabilities on it. So you can see right here the full table, I have this amount of critical, which is three for this components and this version and it was also fixed in that version. So we're also letting you know what version you should upgrade to. So we have in total 137 vulnerabilities and these are the most vulnerable components in my environment. I can also go for the verbose mode and I will get even more information. But it doesn't end here. You can also use the GitHub action to scan your images as well. So I encourage you to do that. So talking about Cubescape 3.0, let's put on the highlights and dive into the key highlights of Cubescape 3.0. So in Cubescape 3.0, we focused on two main areas. The first is the addition of functionality and the second is actually improving the user experience which is very, very important to us. And all of this with the goal of making security a more appealing chore for DevOps engineers and something that becomes ingrained in the development processes for engineers which results in a more secure Kubernetes installation. So what do we have here? So we have the new configuration scan results which are stored in cluster. So we made it possible to store scan results in cluster, enhancing visibility and ongoing security management, of course. Cubescape can now scan the running clusters in two ways with an in cluster agent installed via a helm chart or as opposed to an agent free which uses the command line, which is the second option. And in previous versions, the results, the result data from the in cluster scans was only available to be sent to the RML service, to the RML platform. Now what we've added is easily available to all open source users without the chore of building and maintaining your own dashboard. So in Cubescape 3.0, we added an in cluster storage for the scan results. And with Cubescape in cluster components installed, you also get that in cluster storage. So you'll be able to see your scan results in configuration scan summary and workload configuration scan summary for instance. These are two objects, two new objects. We also added the vulnerability scanning in the CLI and also in the in cluster. So in previous versions of Cubescape, it supported vulnerability scanning inside the cluster only. So what we've done is we've brought this feature to the Cubescape command line in 3.0 and actually bringing our image scanning to the command line unlocks many great use cases. So you can scan a manifest file in the CI pipeline and you can flag or reject it based on the number and class of the vulnerabilities in the containers that will be installed. You can also use the CLI to scan an individual image and get an output in the same JSON format as the in cluster objects. A new key feature that we released is the new scan modes. So we have introduced a new cluster baseline security scan which actually performs some key security checks and then shows you the number of resources which have certain permission. So you are then able to set up a risk acceptance rules to allow those things which are deliberately installed or configured about your cluster. So for example, mailware in a cluster will often attempt to create a cluster admin role or a role with permissions that approximates it. So with Cubescape baselines scan, you can identify which roles you have installed that should have these permissions and then easily see or be notified when the configuration changes from your security baseline change. Another cool thing is the capabilities based, capabilities based in cluster installation. So with our new helm, with our new in cluster features, we've made it easy to enable and disable them in our helm chart. So you can make configuration scanning, vulnerability scanning, reachability, which former known as the relevancy and the node scan at the node agent in the values.yaml file. So it's a more flexible and customizable installation process which is tailored for your needs. So in conclusion, Cubescape 3.0 is a major release, but our journey doesn't end here. We're already looking ahead to Cubescape 3.1 and well beyond. So throughout the rest of the year, we'll be focusing on completing our compliance and vulnerability scanning roadmap. And this includes introducing an in cluster UI for enhanced visualization of all your saved results that we just talked about. And it's going to make it even easier to manage and understand your Kubernetes security posture and much, much more. So as a wrap up, I want to emphasize that your feedback and ideas are incredibly valuable to us. And I want to tell you that we also hold community meetings on Zoom on the first Tuesday of every month at 2PM GMT. And we'd love to see you there because your insights help us continually improve Cubescape. And that's very important for us. So a big thank you to all our contributors. Your efforts make Cubescape better with each release. If you're interested in contributing, please check out our GitHub for more information on how to join the Cubescape community. And I really encourage you to check out our new release and share your thoughts on the Cubescape channel on the CNCF Slack. So we're excited to see how it will enhance your Kubernetes security management. And I would like to thank you very much for listening today.