It is standard practice to scan applications and ** for vulnerabilities. But why stop there?Aqua wanted to bring the same level of security to Kubernetes.
Translated from Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s, by Itay Shakury is VP of Open Source at Aqua Security, where he leads the engineering of open source, cloud-native security solutions. Itay has nearly 20 years of professional experience in a variety of software development, architecture, and product management roles. itay...Kubernetes, often referred to as the "operating system of the cloud," is a complex and critical piece of infrastructure in a modern cloud-native environment. Given its complex composition, it is essential to ensure its safety. To enable organizations to better understand the components in a Kubernetes environment and greatly reduce risk, Aqua Security's open-source security scanner Trivy has launched a Kubernetes Bill of Materials (KBOM). Traditionally, Kubernetes security tools have focused on misconfiguration and hardening. Kubernetes security standards have been developed, such as Pod security policies for Kubernetes, Kubernetes benchmarks for CIS, Kubernetes hardening guidelines for NSA CISA, and more. Aqua Security has also released the popular open-source cluster assessment tool "Kube-Bench". However, there is still a significant gap in assessing the vulnerability of the Kubernetes cluster itself. This is especially critical given the central role of Kubernetes in cloud infrastructure. With vulnerability scanning for Kubernetes clusters neglected, scanning for applications and artifacts is booming. This practice has evolved over time and culminated a few years ago with the popularity of software checklists (SBOMs). As a veteran of vulnerability scanning, Aqua Security has leveraged SBOM's principles in our products, but SBOM's efforts to bring standardization and interoperability to the industry do match the results of vulnerability assessment practices. Nowadays, scanning applications and for vulnerabilities in applications is a standard practice. But why stop there?We want to bring the same level of acceptance and adoption to Kubernetes as SBOM in the application space. By using KBOM to analyze a Kubernetes cluster, Trivy can generate a comprehensive inventory of all the components used in it. This is similar to the SBOM's focus, which focuses on workloads and KBOM explores the composition of the Kubernetes cluster itself. Which kubelet are you running on which node?What Container Network Interface (CNI) are you using?These are the questions that KBOM aims to answer.
Kubernetes is a complex system with many moving parts, and sometimes they are installed and configured separately. A Kubernetes distribution packages selected core Kubernetes components with other necessary components to create a usable Kubernetes cluster. Accurately mapping the composition of a Kubernetes cluster not only helps users, developers, or cluster administrators maintain the system, but also paves the way for accurate vulnerability assessments. Building on KBOM, Trivy can now provide a complete vulnerability assessment of Kubernetes clusters and their core components. This leverages the official Kubernetes vulnerability advisory feed, which was curated by Aqua Security to make it compatible with KBOM. This marks a significant step forward in providing comprehensive Kubernetes security. 
Figure 1: Trivy discovered a vulnerability in the Kubernetes component api-server.
If we think of Kubernetes as the "operating system of the cloud," then we hold it to the same standard as other operating systems in terms of security and vulnerabilities. Trivy is already a prominent vulnerability scanner for existing operating systems, and with the recent addition of KBOM and Kubernetes vulnerability scanning, it is completing another important milestone.
Join the Trivy community and like it on GitHub.