Scanning Kubernetes Manifests With Kubesec

직업

카테고리

컨테이너

Core Concepts

Security Scoring System

Kubesec assigns a score to each Kubernetes resource based on security checks:

• Positive scores: Awarded for security-enhancing configurations (readOnlyRootFilesystem, runAsNonRoot)
• Zero or negative scores: Indicate missing security controls or dangerous configurations
• Critical advisories: Flagged configurations that represent immediate security risks

Check Categories

1. Privilege Controls: Checks for privileged containers, host PID/network access, root execution
2. Capabilities: Identifies excessive Linux capabilities (SYS_ADMIN, NET_RAW)
3. Volume Mounts: Detects dangerous host path mounts and writable sensitive paths
4. Resource Limits: Validates presence of CPU/memory resource constraints
5. Security Context: Verifies seccomp profiles, AppArmor annotations, SELinux contexts

Installation

Binary Installation

# Linux/macOS
curl -sSL https://github.com/controlplaneio/kubesec/releases/latest/download/kubesec_linux_amd64.tar.gz | \
  tar xz -C /usr/local/bin/ kubesec

# Verify installation
kubesec version

Docker Installation

docker pull kubesec/kubesec:v2

# Scan a manifest file
docker run -i kubesec/kubesec:v2 scan /dev/stdin < deployment.yaml

kubectl Plugin

kubectl krew install kubesec-scan
kubectl kubesec-scan pod mypod -n default

Practical Scanning

Scanning a Single Manifest

# Scan a deployment manifest
kubesec scan deployment.yaml

# Scan with JSON output
kubesec scan -o json deployment.yaml

# Scan from stdin
cat pod.yaml | kubesec scan -

Sample Output

[
  {
    "object": "Pod/web-app.default",
    "valid": true,
    "fileName": "pod.yaml",
    "message": "Passed with a score of 3 points",
    "score": 3,
    "scoring": {
      "passed": [
        {
          "id": "ReadOnlyRootFilesystem",
          "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
          "reason": "An immutable root filesystem prevents applications from writing to their local disk",
          "points": 1
        },
        {
          "id": "RunAsNonRoot",
          "selector": "containers[] .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user",
          "points": 1
        },
        {
          "id": "LimitsCPU",
          "selector": "containers[] .resources .limits .cpu",
          "reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
          "points": 1
        }
      ],
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": "metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies reduce the attack surface of the container",
          "points": 3
        },
        {
          "id": "ServiceAccountName",
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured",
          "points": 3
        }
      ]
    }
  }
]

Scanning Multiple Resources

# Scan all YAML files in a directory
for file in manifests/*.yaml; do
  echo "=== Scanning $file ==="
  kubesec scan "$file"
done

# Scan multi-document YAML
kubesec scan multi-resource.yaml

Using the HTTP API

# Scan via the public API
curl -sSX POST --data-binary @deployment.yaml \
  https://v2.kubesec.io/scan

# Run a local API server
kubesec http --port 8080 &

# Scan against local server
curl -sSX POST --data-binary @deployment.yaml \
  http://localhost:8080/scan

CI/CD Integration

GitHub Actions