Aqua Blog

Kubernetes Benchmark Scans with Trivy: CIS and NSA Reports

Kubernetes Benchmark Scans with Trivy: CIS and NSA Reports

One of Trivy’s core features is Trivy Kubernetes for in-cluster security scans of running workloads. This tutorial will showcase how to generate CIS and NSA reports both through the Trivy CLI and the Trivy Operator.

Additionally, we will look at how users can add the Kubernetes Specification for their own Compliance Report format to expand the security audits of the Trivy Operator.

Introduction to Kubernetes Benchmarks

The two best known Kubernetes Security Benchmarks are CIS and NSA. CIS (Center for Internet Security), which is a non-for-profit that provides recommendations on security best-practices. As part of their work, they have released a set of recommendations for configuring Kubernetes clusters and workloads. The CIS benchmarks take a closer look not only at the running workloads but also the infrastructure setup such as the Kubernetes. Additional details on CIS benchmarks can be found in the Aqua documentation.

In comparison, the NSA compliance checks are often categories as a benchmark but is much better referenced as being a Kubernetes hardening guide. The NSA guidelines also provide recommendations on resources and infrastructure outside of Kubernetes workloads. A closer look at the NSA guidelines is provided in the official Kubernetes documentation.

When a user is running a benchmark compliance check on their infrastructure and workloads, the scanner will compare the running resources in the cluster with the best practices detailed in the benchmark. Each recommendation of the benchmark will be evaluated separately. The final report will then detail which checks have failed. However, it is worth noting that there is not a 100% match between the compliance benchmarks and Kubernetes versions. Thus, users should evaluate the failures in the compliance report with caution.

Generate Trivy Compliance Reports

Trivy Kubernetes makes it possible to use the Trivy CLI to scan your infrastructure and running workloads for security issues through the Trivy Kubernetes command. This section will showcase how to use the Trivy CLI to generate CIS and NSA scans based on your Kubernetes cluster.

Prerequisites

Please ensure that you have the Trivy CLI installed. Different installation options can be found in the Trivy documentation.

Ensure that the Trivy CLI is installed correctly by verifying the version installed in your terminal:

trivy --version
Version: 0.36.1

Additionally, to generate compliance reports on a Kubernetes cluster, you will need access to the cluster.

Generating CIS reports with the Trivy CLI

To scan the full cluster and produce a CIS report summary, we can use the following command:

trivy k8s cluster --compliance=<compliance_id> --report summary

The <compliance_id> refers to k8s-nsa or k8s-cis scans. In this case, we are first going to generate a CIS report:

trivy k8s cluster --compliance=k8s-cis --report summary

To receive the details of the report, we can change the report type from summary to all:

trivy k8s cluster --compliance=k8s-cis --report all

Additionally, most flags can be used across Trivy commands. Thus, the report can be saved directly to a file with the  –output  flag:

trivy k8s cluster --compliance=k8s-cis --report all --output cis-report.json

Below you can see a partial screenshot of the result for the cis summary scan:

Image Description: Partial screenshot of the result for the cis summary scan

Partial screenshot of the result for the cis summary scan

Generating NSA reports with the Trivy CLI

The same commands can be used to produce NSA (US National Security Agency) reports with the Trivy CLI. We merely have to replace k8s-cis with k8s-nsa in the <compliance_id> field:
trivy k8s cluster --compliance=k8s-nsa --report summary

To receive the details of the report, we can change the report type from summary to all:
trivy k8s cluster --compliance=k8s-nsa --report all

Additionally, the report can be saved directly to a file as we have done before:
trivy k8s cluster --compliance=k8s-nsa --report all --output cis-report.json

Below you can see a screenshot of the result for the NSA summary scan:

Screenshot of the result for the NSA summary scan

Screenshot of the result for the NSA summary scan

Automate Benchmark Scans through the Trivy Operator

The Trivy CLI is great for user-initiated scans whether these are taking place through the command line or through a CI/CD pipeline. However, in large-scale environments it is important to have access to security reports on a continuous basis. Security Benchmark scans can be automated through the installation of the Trivy Operator on your Kubernetes cluster. In addition to Security Benchmark scans, it will scan for container Vulnerabilities, Expose Secrets, RBAC issues, and Misconfigurations.

Prerequisites

To follow this section of the tutorial, you will need:

Setting up the Trivy Kubernetes Operator

Next, we will follow the Trivy Operator Helm Chart installation from the documentation:

  1. Add the Helm Chart to your Helm repository list:
    helm repo add aqua https://aquasecurity.github.io/helm-charts/
  2. Next, update the Helm Chart reposiotries that you are connected to:
    helm repo update
  3. And lastly, install the Trivy Operator Helm Chart:.

helm install trivy-operator aqua/trivy-operator
  --namespace trivy-system
  --create-namespace
  --set="trivy.ignoreUnfixed=true"
  --version 0.10.1

You should see the following success message upon successful installation:

NAME: trivy-operator
LAST DEPLOYED: Mon Jan 16 14:13:57 2023
NAMESPACE: trivy-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have installed Trivy Operator in the trivy-system namespace.
It is configured to discover Kubernetes workloads and resources in
all namespace(s).

Inspect created VulnerabilityReports by:
kubectl get vulnerabilityreports --all-namespaces -o wide

Inspect created ConfigAuditReports by:
kubectl get configauditreports --all-namespaces -o wide

Inspect the work log of trivy-operator by:
kubectl logs -n trivy-system deployment/trivy-operator

Next ensure that the Trivy Operator pod is running in your Kubernetes cluster:
kubectl get all -n trivy-system

The output should be like the following content:

❯ kubectl get all -n trivy-system
NAME                                READY   STATUS    RESTARTS   AGE
pod/trivy-operator-59fc6d84d-xkr8h   1/1    Running   0          3m
NAME                     TYPE       CLUSTER-IP  EXTERNAL-IP  PORT(S)  AGE
service/trivy-operator   ClusterIP   None       <none>       80/TCP    3m
NAME                            READY   UP-TO-DATE   AVAILABLE    AGE
deployment.apps/trivy-operator   1/1     1            1           3m
NAME                                     DESIRED   CURRENT   READY   AGE
replicaset.apps/trivy-operator-59fc6d84d   1         1         1      3m

Once everything is running correctly, you should be able to query the Kubernetes benchmark reports generated by the Trivy Operator:

kubectl get clustercompliancereport
NAME   AGE
cis    10m
nsa    10m

•    NSA report:
kubectl get clustercompliancereport nsa -o yaml

•    CIS report:
kubectl get clustercompliancereport cis -o yaml

Modify Trivy Operator Compliance Report

By default, the Trivy Operator will perform the compliance scans every six hours. However, it is possible to modify the CronJob expression in the YAML manifest of each CRD (Custom Resource Definition). Each resort, NSA and CIS, has a CRD that is responsible for defining how the report is generated.

The respective CRDs can be accessed like any other Kubernetes resource in your cluster:
kubectl get crd -n trivy-system

To edit the CRD, simply open it in vim through the following command:
kubectl edit crd clustercompliancereports.aquasecurity.github.io -n trivy-system

Add your own Benchmark scans through Built-in Configuration Audit Policies to the Trivy Operator

Our Built-in Configuration Audit Policies enables users to add their own benchmark scans. Upon installing the Trivy Operator, the trivy-operator-policies-config ConfigMap is created in your cluster. This ConfigMap defines any additional audit scans that should be performed:

kubectl get configmap -n trivy-system
kubectl get configmap trivy-operator-policies-config -n trivy-system -o yaml

The configuration for the built-in audit policies can be modified directly in the ConfigMap. Additionally, users can add their own audit policies. The tutorial in the Trivy Operator documentation details how to go about it.

For instance, the following specification checks a Kubernetes cluster against the Kubernetes Pod Security Standard. The YAML manifest can then be used in the

trivy-operator-policies-config

Once you apply the YAML manifest to the trivy-system namespace inside your cluster, a new ConfigAudit report will be generated.

What’s next?

In this blog post, we detailed how you can generate CIS and NSA reports through the Trivy CLI. Benchmark Scans of your infrastructure and workloads can then be automated through the Trivy Operator.

Both projects, Trivy and the Trivy Operator are open source. If you like those projects, we would highly appreciate it if you could give them a star on GitHub.

Additionally, join the Slack community if you have any questions.

Anais Urlichs
Anaïs is a Developer Advocate at Aqua Security, where she contributes to Aqua’s cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she helped advance the infrastructure for hundreds of tenant clusters. As CNCF ambassador, her passion lies in making tools and platforms more accessible to developers and community members.