Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images.
Kubernetes is complex and most administrators are not fully aware of all the individual components that make up their cluster. Just how SBOM is significant for your application security, KBOM is significant to your infrastructure security. Without it you are scanning your applications for vulnerabilities, but not your infrastructure. Below we will be sharing the next phase of using KBOMs to secure your Kubernetes cluster components – scanning your core Kubernetes architecture for vulnerabilities.
Scanning KBOM for Vulnerabilities with the Trivy CLI
KBOM in Vulnerability scanning
Currently, Software Bills of Material (SBOM) can generate an overview of the artefacts used in Container Images and Filesystems, including libraries and other third-party resources. However, the same tooling used to create SBOMs cannot provide an inventory list of the core Kubernetes components nor scan those for vulnerabilities. Infrastructure scanning usually analyzes the configuration of the Kubernetes cluster to identify misconfiguration. Similarly, in-cluster vulnerability scanners focus on vulnerabilities in workloads and third-party applications that are installed on the cluster but cannot analyze the architecture components directly for vulnerabilities.
This is where a KBOM is crucial.
KBOMs (Kubernetes Bill of Material) provide an inventory list of all the components that run and manage the Kubernetes cluster and its workloads. The Kubernetes documentation provides a list of these components. Once all the cluster components are listed in the KBOM, it is possible to scan the libraries used within for vulnerabilities.
Trivy’s Kubernetes vulnerability scanning uses the KBOM to help users understand how their cluster security changes over time, identify security issues, and know when to upgrade cluster components. This provides the initial steps for creating the first complete Kubernetes Vulnerability Scanner.
Generating KBOM and scanning a KBOM for Vulnerabilities
To generate a KBOM and scan the KBOM for Vulnerabilities requires access to a working Kubernetes cluster through the KUBECONFIG file. Once the KBOM has been generated, it then needs to be saved into a separate file, which is done with the --output flag; otherwise, the KBOM will simply be displayed as CLI output:
The KBOM can then be generated with the following command.
trivy k8s cluster --format cyclonedx --output kbom.json
This will produce a CycloneDX KBOM scan and save the output into the kbom.json file. During the Scan, Trivy will analyse the packages used in the core Kubernetes component. These include the control plane, the data plane and any Kubernetes addons that run as Pods. Note that this does not include workloads and other application resources. It is possible to generate an SBOM of those separately through the Trivy Operator.
The Kubernetes Vulnerability Database
Usually, the information on vulnerabilities that are used in Trivy container image scans, are taken from official advisories such as Ubuntu, Redhat etc., who provide the vulnerability information on their systems.
In the case of Kubernetes vulnerabilities, the initial information has been taken from the Kubernetes vulnerability feed. However, those are not in a state and format that made them directly useable as they were shared through markdown text with varying levels of detail.
As a result, to enable Kubernetes Vulnerability Scanning in Trivy, we have created the Kubernetes Vulnerability Database based on the official vulnerability feed. This database provides an easier way to consume the information by third-party tools such as implemented in the Trivy Kubernetes Vulnerability scanning and will be maintained by Aqua Security.
KBOM Vulnerability Scanning
Once the KBOM is saved to a separate file, it can be used as the target for Trivy Vulnerability Scanning like any other SBOM vulnerability scanning with Trivy. In the future, we will streamline this step by letting you scan a Kubernetes cluster for vulnerabilities in one step.
To do so, run the following command:
trivy sbom kbom.json
Output example :
Having access to this information, it is possible to monitor the Kubernetes cluster security over time.
Scanning the Cluster for Vulnerabilities without KBOM
In some cases, users might want to gain access to Kubernetes cluster Vulnerabilities without generating and storing a KBOM. Thus, we have added functionality to scan the Kubernetes cluster in the same way for Vulnerabilities as done through the KBOM.
Below is an example of using the existing trivy k8s command: 
Use the trivy k8s command instead of the kbom file to scan the Kubernetes cluster for vulnerabilities
What’s Next for Trivy
This is just the start for the Trivy feature set to create full transparency into Kubernetes cluster vulnerabilities. Next, the vulnerability scanning command will be integrated into the trivy k8s command for easier and more streamlined vulnerability scanning. Furthermore, specific vulnerabilities will be added to cloud provider-specific resources. This will make the vulnerability scans more meaningful for each user, and lastly, we plan to support more Kubernetes components as part of the Kubernetes cluster scan.
We highly encourage you to try out Aqua Trivy to generate KBOMs of your Kubernetes cluster and scan the resources used in your cluster for Vulnerabilities. We would love to hear your feedback as well as any suggestions on changes that would improve the experience.
For further information, have a look at the Trivy KBOM Documentation.
If you enjoy using Aqua Trivy, we would highly appreciate if you could give us a Star on GitHub
Also, to stay up to date with the latest developments, join the Aqua Open Source Slack.