Written by Ryan Dardis, Cloud Native Engineer @ Red Kubes

KubeClarity is the latest integrated app to be added to Otomi and can be installed via drag-and-drop to get you running scans in minutes — check us out on GitHub and give us a star to keep up to date with all our latest apps and features!

KubeClarity available as a drag-and-drop app in Otomi

KubeClarity by Cisco’s OpenClarity is one of the next generation of security scanning tools that allows you to perform fine-grained security scans of your K8s runtime as well as container images scanning and pre-deploy CI/CD scanning capability. The result is a comprehensive list of vulnerabilities and remediations that will provide insight into your current security posture and steps needed to plug any leaks. The app, unlike many of its competitors, comes with no strings attached i.e. no registration requirements — this is important as some (particularly large businesses) may be uncomfortable sharing vulnerability reports with a third-party.

KubeClarity UI included in their Helm chart

Kubeclarity is complimented by a simple and intuitive UI allowing users to drill down on specific applications or view shared vulnerabilities system-wide:

Application vulnerability view

CVE overview

It is completely free and open-source, and due to it’s rigorous scanning feature set and ease-of-us came out on top versus similar tools during our analysis. It is not however without its disadvantages when compared to tools like Starboard Operator or Kubescape:

Pros:

• Integrated UI
• No login/signup requirement
• No sharing of reports with 3rd parties
• CVE descriptions and links to remediations
• Extensive scanning capability
• Can be run as part of CI/CD
• Extremely easy to deploy

Cons:

• No real-time scanning — although this is mitigated by the ability to schedule regular scans or run during CI/CD
• Lacking Prometheus output formatting
• Helm chart is lacking some polish

At the time of writing it is clear that KubeClarity is still a work in progress, but even at this early stage is a very capable piece of software — in fact we are using it ourselves to help make our own application, Otomi, more secure while also providing us the ability to monitor vulnerabilities status over time and prevent regressions.

Their GitHub is very active with releases happening every month or so, and we found their devs to be very responsive to issues and features requests — we have no doubt the KubeClarity will mature into a gold-standard product and it is our pleasure to offer it as part of the Otomi Stack.