ARMOBest Framework – what it is and why you need it?

There were several security assessments and compliance frameworks in Kubescape before we released ARMOBest – NSA-CISA and MITRE. Naturally, people ask, why another one? Especially, if it’s not coming from a well-known source that some people may be required to comply with.

Some frameworks, like MITRE, are designed bottom-up, mainly focusing on the infrastructure. Others, like NSA-CISA, are designed top-down, paying more attention to the application side. Naturally, it leaves gaps in the coverage. 

After developing several frameworks, we saw these gaps and realized that there is a need for additional controls. For example, all known frameworks mention “exec” into containers permission but do not mention “portforwarding”. Some frameworks require checking the origin and vulnerabilities of containers but do not require container “entry point” override check, which allows using legitimate containers for illegitimate purposes. One may argue that checking for RBAC role impersonation permission is part of the overall “least privilege” principle but providing a separate control for this not only finds the problems but also points to the precise place for their remediation.

The ARMOBest framework provides several verifications that are overlooked by other frameworks. It is designed by our experts with deep knowledge of Kubernetes, Linux, Containers, and Security in general, and looks at the problems that may cross-domain expertise boundaries.

Kubernetes vulnerabilities

ARMOBest checks for critical K8s vulnerabilities you should worry about.

We are monitoring the latest Kubernetes vulnerability reports and including them in ARMOBest framework immediately after they are published. A verification control for the last CVE-2021-25742, was released in just a few hours after the official CVE was published and we will continue to do so.

Security controls

ARMOBest framework includes distinctive controls that can’t be found in any other framework:

• impersonation – identifies all subjects bound to roles that allow impersonation.
• Namespaces without explicit Service Account –It is not recommended to use default namespaces and default Service Accounts. This control verifies that every namespace is associated with an explicit Service Account.
• Sudo in the run command – verifies every container entry point to ensure that the “sudo” command is not used in it.
• Kubectl portforward – finds all subjects with port forwarding permission to minimize its usage.
• ImagePullPolicy on latest image tag – if not set properly, a cluster may end up using an older (potentially compromised) version of a container image without knowing this.

In addition, ARMOBest framework includes all the security-focused controls from other frameworks, which makes it more suitable for deeper posture verification. Of course, if customers must check compliance readiness for a specific well-known framework, they should scan using that framework.

We will continuously extend ARMOBest framework with new findings combining all the field experience we gather with our users and all known vulnerabilities sources. We welcome everybody to collaborate with us and let your knowledge help others. So maybe eventually we will rename this framework to WORLDBest…😊

Click here to learn more about Kubernetes security best practices