Aqua Blog

Discover Security Risks with Starboard Extension for Lens Kubernetes IDE

Discover Security Risks with Starboard Extension for Lens Kubernetes IDE

When the Mirantis team announced the Lens Extensions API back in November 2020, we were excited to experiment with it and build an extension for Starboard, our open source Kubernetes native security toolkit. True to DevSecOps principles, the integration makes security reports accessible within Lens IDE, giving you immediate and actionable information about potential security risks in your K8s deployments. Now you can easily view the vulnerability information in your Kubernetes dashboard alongside the workload it is associated with.

What is Lens Extensions?

Lens is a widely used Kubernetes IDE that simplifies working with Kubernetes and helps manage clusters on a daily basis. Aiming to show information beyond the core Kubernetes constructs, the Lens Extensions API makes it possible to add new tabs and screens to Lens, and to work with custom resources. Using it, anyone can code lightweight integrations to enhance and customize Lens for their own tools and workflows.

Extending Lens with Starboard

Our open source project Starboard creates security reports from a variety of tools and vendors and makes them available as custom resources. By extending Lens to display these resources, the integration makes security information easily accessible and actionable for Kubernetes users. Developers who install the extension can view the details of security risks exactly where they belong, alongside the Kubernetes built-in resources to which they apply.

How does this work? For each underlying deployment, Starboard creates a custom resource called a vulnerability report, which is populated by Trivy, Aqua’s open source vulnerability scanner. The vulnerability report can be viewed in Lens as a raw YAML file, but with the extension, we provide an easier-to-use and more contextual picture of each report.

Now, when the Starboard Operator generates a report, Lens will display a summary of vulnerabilities, with more details available. You can link the report to a specific workload, look up the CVEs in our AVD (Aqua Vulnerability Database), or check if there is a fix available. Issues can be fixed by upgrading your container images or vulnerable dependencies.

Here’s a walkthrough video for the Starboard extension in Lens:

On top of vulnerability reports in Lens, you can also access configuration audit scans that were created by the Starboard Operator, which automatically checks for weaknesses in the configuration of Kubernetes workloads.

Next steps

Our goal is to provide an end-to-end developer experience for finding and fixing security issues in Kubernetes. As the next step in our roadmap, we’d like the Lens extension to perform basic remediation actions. This means automatically applying changes to K8s workloads and tracking the progress of updates in real time.

Also, we plan to integrate kube-bench with the Starboard Operator to automatically run CIS Kubernetes benchmarks on nodes that are added to a Kubernetes cluster.

As always, we can’t wait for you to try it out and share your feedback – give the Lens extension a spin and let us know what you think!

Daniel Pacak
Daniel Pacak is an Open Source Engineer at Aqua Security. He works on Kubernetes and container security related projects, while also taking part in maintaining the CNCF's project, Harbor.