Assess a Kubernetes Cluster
Once you've ensured that cnspec can access your Kubernetes environment, you can begin testing. The method you choose depends on your goals:
- For widescale assessment of your Kubernetes infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Kubernetes security posture.
- To run ad hoc checks against your Kubernetes environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Assess Kubernetes security with policy-based scanning
The Kubernetes Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Kubernetes security best practices. It checks for misconfigurations across your entire Kubernetes infrastructure.
To scan using the Kubernetes Security by Mondoo policy, run:
cnspec scan k8s
cnspec finds the default policy for Kubernetes and runs a scan based on that policy. It returns a report summarizing the scan results:
Show or hide example scan results.
→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ use cluster name from kube config cluster-name=minikube
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=20
→ connecting to asset K8s Cluster minikube (api)
███████████████████████████████████████████████████████████████████████████ 100% K8s Cluster minikube
→ connecting to asset kube-system/coredns (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/coredns
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
→ connecting to asset luna/postgres (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset kube-system/coredns-565d847f94-zxkk2 (k8s-object)
████████████████████████████████████████████████████████████████ 100% kube-system/coredns-565d847f94-zxkk2
→ connecting to asset kube-system/etcd-minikube (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/etcd-minikube
→ connecting to asset kube-system/kube-apiserver-minikube (k8s-object)
█████████████████████████████████████████████████████████████████ 100% kube-system/kube-apiserver-minikube
→ connecting to asset kube-system/kube-controller-manager-minikube (k8s-object)
████████████████████████████████████████████████████████ 100% kube-system/kube-controller-manager-minikube
→ connecting to asset kube-system/kube-proxy-cdzrr (k8s-object)
████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy-cdzrr
→ connecting to asset kube-system/kube-scheduler-minikube (k8s-object)
█████████████████████████████████████████████████████████████████ 100% kube-system/kube-scheduler-minikube
→ connecting to asset kube-system/storage-provisioner (k8s-object)
█████████████████████████████████████████████████████████████████████ 100% kube-system/storage-provisioner
→ connecting to asset luna/luna-frontend-7fb96c846b-2k5j7 (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-2k5j7
→ connecting to asset luna/luna-frontend-7fb96c846b-8b94j (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-8b94j
→ connecting to asset luna/luna-frontend-7fb96c846b-jglt9 (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-jglt9
→ connecting to asset luna/postgresql-655d75f54b-btbzv (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-btbzv
→ connecting to asset luna/postgresql-655d75f54b-qhhxv (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-qhhxv
→ connecting to asset kube-system/kube-proxy (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy
→ connecting to asset kube-system/coredns-565d847f94 (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% kube-system/coredns-565d847f94
→ connecting to asset luna/luna-frontend-7fb96c846b (k8s-object)
███████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b
→ connecting to asset luna/postgresql-655d75f54b (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b
Asset: K8s Cluster minikube
===========================
Data queries:
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.title: "Kubernetes Cluster"
platform.arch: "linux/arm64"
platform.release: "v1.25.3"
Checks:
Asset: kube-system/coredns
==========================
Data queries:
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
Checks:
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not run with hostPID
✓ Pass: Deployments should not bind to a host port
✓ Pass: Deployments should not run with NET_RAW capability
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should request memory
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should request CPU
✓ Pass: Pod should not define hostAliases
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should not mount the containerd socket
✕ Fail: F 0 Container should not run as root
✓ Pass: Pod should not run with the default service account
✓ Pass: Container should not allow privilege escalation
✓ Pass: Deployments should mount any host path volumes as read-only
✓ Pass: Deployments should not run Tiller (Helm v2)
✓ Pass: Container should use an immutable root filesystem
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should not run as a privileged container
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Pod should not run with hostNetwork
Asset: kube-system/coredns-565d847f94
=====================================
Data queries:
platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.arch: ""
Checks:
✓ Pass: Container should request CPU
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should configure a livenessProbe
✓ Pass: Pod should not run with hostIPC
✓ Pass: ReplicaSets should not bind to a host port
✓ Pass: ReplicaSets should not run with NET_RAW capability
✓ Pass: Container should have a memory limit
✓ Pass: Container should not allow privilege escalation
✓ Pass: ReplicaSets should mount any host path volumes as read-only
✓ Pass: Container should use an immutable root filesystem
✓ Pass: Container should not run as a privileged container
✓ Pass: Pod should not run with the default service account
✓ Pass: Pod should not run with hostPID
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: ReplicaSets should not run in the default namespace
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should request memory
✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
✕ Fail: A 80 Container should have a CPU limit
Asset: kube-system/coredns-565d847f94-zxkk2
===========================================
Data queries:
platform.arch: ""
mondoo.version: "8.11.0"
platform.title: "Kubernetes Pod, Kubernetes Cluster"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.release: ""
Checks:
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pods should have an owner
✓ Pass: Container should not allow privilege escalation
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Workloads should not run in default namespace
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should use an immutable root filesystem
✕ Fail: F 0 Container should not run as root
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Pods should not bind to a host port
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not run with the default service account
✓ Pass: Pods should not run Tiller (Helm v2)
✓ Pass: Container should request CPU
✓ Pass: Container should configure a livenessProbe
✓ Pass: Container should have a memory limit
✓ Pass: Pods should not run with NET_RAW capability
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Pods should mount any host path volumes as read-only
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should request memory
Asset: kube-system/etcd-minikube
================================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.release: ""
mondoo.version: "8.11.0"
Checks:
✕ Fail: F 0 Container should not run as root
✕ Fail: D 20 Pods should mount any host path volumes as read-only
✓ Pass: Container should request memory
✓ Pass: Pod should not define hostAliases
✕ Fail: D 20 Pod should not run with hostNetwork
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not run with hostIPC
✕ Fail: D 20 Pods should not run with NET_RAW capability
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should configure a livenessProbe
✓ Pass: Pod should not run with the default service account
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pods should have an owner
✓ Pass: Container should request CPU
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Container should not allow privilege escalation
✓ Pass: Workloads should not run in default namespace
✕ Fail: A 80 Container should have a CPU limit
. Unknown: Pods should not run Kubernetes dashboard
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should configure a readinessProbe
Asset: kube-system/kube-apiserver-minikube
==========================================
Data queries:
platform.arch: ""
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
Checks:
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should request memory
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not run with hostIPC
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should configure a livenessProbe
✓ Pass: Container should request CPU
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should have an owner
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Container should not mount the containerd socket
✕ Fail: D 20 Pod should not run with hostNetwork
✕ Fail: F 0 Container should not run as root
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pods should not bind to a host port
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not allow privilege escalation
✓ Pass: Pods should mount any host path volumes as read-only
. Unknown: Pods should not run Tiller (Helm v2)
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pod should not run with the default service account
✕ Fail: D 20 Pods should not run with NET_RAW capability
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: D 20 Container should use an immutable root filesystem
Asset: kube-system/kube-controller-manager-minikube
===================================================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.release: ""
mondoo.version: "8.11.0"
platform.title: "Kubernetes Pod, Kubernetes Cluster"
Checks:
✓ Pass: Pods should not bind to a host port
✕ Fail: D 20 Pods should mount any host path volumes as read-only
✓ Pass: Container should not run as a privileged container
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pod should not run with the default service account
✕ Fail: A 80 Container should request memory
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should configure a livenessProbe
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with hostPID
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pods should not bind to a host port
✕ Fail: D 20 Pods should not run with NET_RAW capability
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: F 0 Container should not run as root
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pods should have an owner
✓ Pass: Container should request CPU
✕ Fail: D 20 Pod should not run with hostNetwork
✓ Pass: Container should not allow privilege escalation
✓ Pass: Pod should not define hostAliases
Asset: kube-system/kube-proxy
=============================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.title: "Kubernetes DaemonSet, Kubernetes Cluster"
platform.release: ""
Checks:
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should not mount the containerd socket
✕ Fail: F 0 Container should not run as root
✓ Pass: DaemonSets should not run with SYS_ADMIN capability
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: D 20 Pod should not run with hostNetwork
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with the default service account
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should not allow privilege escalation
✓ Pass: DaemonSets should not run in the default namespace
✓ Pass: Pod should not define hostAliases
✕ Fail: D 20 DaemonSets should not run with NET_RAW capability
✓ Pass: Pod should not run with hostPID
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should request CPU
✕ Fail: D 20 DaemonSets should mount any host path volumes as read-only
✕ Fail: F 0 Container should not run as a privileged container
✕ Fail: A 80 Container should request memory
✓ Pass: DaemonSets should not bind to a host port
Asset: kube-system/kube-proxy-cdzrr
===================================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.release: ""
platform.title: "Kubernetes Pod, Kubernetes Cluster"
Checks:
✓ Pass: Pod should not run with the default service account
. Unknown: Pods should not run Tiller (Helm v2)
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pods should not run with SYS_ADMIN capability
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: D 20 Pods should mount any host path volumes as read-only
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Pod should not run with hostPID
✕ Fail: A 80 Container should request memory
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pods should not bind to a host port
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: D 20 Container should use an immutable root filesystem
✕ Fail: A 80 Container should request CPU
✓ Pass: Pod should not define hostAliases
✕ Fail: D 20 Pod should not run with hostNetwork
✓ Pass: Container should not allow privilege escalation
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Container should not mount the containerd socket
✕ Fail: D 20 Pods should not run with NET_RAW capability
✓ Pass: Pods should have an owner
✓ Pass: Pods should not bind to a host port
✓ Pass: Pod should not run with hostIPC
✕ Fail: F 0 Container should not run as root
✕ Fail: A 80 Container should have a CPU limit
✕ Fail: F 0 Container should not run as a privileged container
✓ Pass: Workloads should not run in default namespace
Asset: kube-system/kube-scheduler-minikube
==========================================
Data queries:
platform.release: ""
platform.title: "Kubernetes Pod, Kubernetes Cluster"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
mondoo.version: "8.11.0"
Checks:
✕ Fail: A 80 Container should have a CPU limit
✕ Fail: D 20 Pods should not run with NET_RAW capability
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pods should not bind to a host port
✕ Fail: D 20 Pod should not run with hostNetwork
✓ Pass: Pod should not run with the default service account
✓ Pass: Workloads should not run in default namespace
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Pods should not bind to a host port
✓ Pass: Pods should mount any host path volumes as read-only
✓ Pass: Container should request CPU
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pod should not run with hostPID
✕ Fail: A 80 Container should configure a readinessProbe
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pods should have an owner
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Container should not run as a privileged container
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not allow privilege escalation
✕ Fail: A 80 Container should request memory
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should configure a livenessProbe
✕ Fail: F 0 Container should not run as root
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with hostIPC
Asset: kube-system/storage-provisioner
======================================
Data queries:
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.release: ""
Checks:
✓ Pass: Pods should not run with SYS_ADMIN capability
. Unknown: Pods should not run Tiller (Helm v2)
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: D 20 Pods should not run with NET_RAW capability
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pods should not bind to a host port
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a CPU limit
✕ Fail: D 20 Pods should mount any host path volumes as read-only
. Skipped: Container should configure a readinessProbe
✕ Fail: D 20 Container should use an immutable root filesystem
✕ Fail: D 20 Pod should not run with hostNetwork
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should not mount the Docker socket
. Skipped: Container should configure a livenessProbe
✓ Pass: Pod should not define hostAliases
✕ Fail: A 80 Container should request CPU
✕ Fail: A 80 Container should request memory
✓ Pass: Container should not allow privilege escalation
✓ Pass: Workloads should not run in default namespace
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should not run as a privileged container
✓ Pass: Pod should not run with the default service account
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not run with hostPID
✕ Fail: C 50 Pods should have an owner
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not mount the containerd socket
Asset: luna/luna-frontend
=========================
Data queries:
platform.arch: ""
platform.release: ""
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
Checks:
✓ Pass: Pod should not run with hostNetwork
✕ Fail: A 80 Container should request CPU
✓ Pass: Deployments should not run in the default namespace
✕ Fail: A 80 Container should request memory
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should not mount the Docker socket
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pod should not run with the default service account
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pod should not run with hostIPC
✓ Pass: Deployments should not bind to a host port
✓ Pass: Pod should not define hostAliases
✓ Pass: Pod should not run with hostPID
✕ Fail: D 20 Container should use an immutable root filesystem
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Container should not allow privilege escalation
. Unknown: Deployments should not run Tiller (Helm v2)
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Deployments should mount any host path volumes as read-only
✓ Pass: Container should not run as a privileged container
✓ Pass: Deployments should not run with SYS_ADMIN capability
Asset: luna/luna-frontend-7fb96c846b
====================================
Data queries:
mondoo.version: "8.11.0"
platform.arch: ""
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
Checks:
✕ Fail: A 80 Container should have a memory limit
✕ Fail: A 80 Container should request CPU
✓ Pass: Pod should not run with hostPID
✕ Fail: D 20 ReplicaSets should not run with NET_RAW capability
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: ReplicaSets should not run in the default namespace
✕ Fail: A 80 Container should request memory
✓ Pass: Pod should not run with hostIPC
✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Container should not allow privilege escalation
✕ Fail: F 0 Container should not run as root
✓ Pass: Pod should not define hostAliases
✓ Pass: Pod should not run with the default service account
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Container should not mount the Docker socket
✓ Pass: ReplicaSets should mount any host path volumes as read-only
✓ Pass: ReplicaSets should not bind to a host port
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should not run as a privileged container
Asset: luna/luna-frontend-7fb96c846b-2k5j7
==========================================
Data queries:
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.release: ""
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.arch: ""
mondoo.version: "8.11.0"
Checks:
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Workloads should not run in default namespace
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should not allow privilege escalation
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Pod should not run with hostNetwork
✕ Fail: A 80 Container should have a memory limit
✕ Fail: F 0 Container should not run as root
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Pod should not run with hostPID
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pods should mount any host path volumes as read-only
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: A 80 Container should request CPU
✓ Pass: Container should not run as a privileged container
✕ Fail: D 20 Pods should not run with NET_RAW capability
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Pod should not define hostAliases
✕ Fail: A 80 Container should have a CPU limit
✕ Fail: A 80 Container should request memory
✓ Pass: Pods should not bind to a host port
✕ Fail: B 70 Pod should not run with the default service account
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pods should have an owner
Asset: luna/luna-frontend-7fb96c846b-8b94j
==========================================
Data queries:
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.release: ""
Checks:
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should have a memory limit
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: B 70 Pod should not run with the default service account
✓ Pass: Pod should not run with hostNetwork
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Container should not allow privilege escalation
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: D 20 Pods should not run with NET_RAW capability
. Unknown: Pods should not run Tiller (Helm v2)
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should request memory
✓ Pass: Pods should have an owner
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pod should not run with hostIPC
✓ Pass: Container should not mount the Docker socket
✓ Pass: Pod should not run with hostPID
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Pods should mount any host path volumes as read-only
✕ Fail: A 80 Container should request CPU
✓ Pass: Pod should not define hostAliases
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not run as a privileged container
✕ Fail: A 80 Container should have a CPU limit
Asset: luna/luna-frontend-7fb96c846b-jglt9
==========================================
Data queries:
platform.arch: ""
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Pod, Kubernetes Cluster"
mondoo.version: "8.11.0"
Checks:
✕ Fail: D 20 Pods should not run with NET_RAW capability
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: A 80 Container should request memory
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pods should have an owner
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Pod should not define hostAliases
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pod should not run with hostNetwork
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a memory limit
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should not run with SYS_ADMIN capability
✕ Fail: B 70 Pod should not run with the default service account
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should request CPU
✓ Pass: Pods should mount any host path volumes as read-only
✓ Pass: Container should not allow privilege escalation
✓ Pass: Pods should not bind to a host port
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pod should not run with hostPID
Asset: luna/postgresql
======================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
mondoo.version: "8.11.0"
platform.release: ""
Checks:
✓ Pass: Deployments should not bind to a host port
✕ Fail: A 80 Container should request memory
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Pod should not define hostAliases
. Unknown: Deployments should not run Tiller (Helm v2)
✓ Pass: Deployments should mount any host path volumes as read-only
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: F 0 Container should not run as root
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✕ Fail: A 80 Container should have a memory limit
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should request CPU
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pod should not run with hostIPC
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should not mount the containerd socket
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pod should not run with hostPID
✓ Pass: Container should not run as a privileged container
✓ Pass: Container should not allow privilege escalation
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Pod should not run with the default service account
✕ Fail: A 80 Container should configure a readinessProbe
Asset: luna/postgresql-655d75f54b
=================================
Data queries:
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
platform.release: ""
Checks:
✓ Pass: Container should not run as a privileged container
✓ Pass: Pod should not run with hostPID
✕ Fail: A 80 Container should request memory
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Pod should not define hostAliases
✓ Pass: ReplicaSets should not bind to a host port
✓ Pass: Pod should not run with hostNetwork
✓ Pass: ReplicaSets should mount any host path volumes as read-only
✕ Fail: A 80 Container should have a memory limit
✓ Pass: ReplicaSets should not run with SYS_ADMIN capability
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a CPU limit
✕ Fail: D 20 Container should use an immutable root filesystem
✕ Fail: D 20 ReplicaSets should not run with NET_RAW capability
✓ Pass: ReplicaSets should not run in the default namespace
✓ Pass: Container should not mount the containerd socket
✓ Pass: Container should not allow privilege escalation
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should request CPU
✕ Fail: A 80 Container should configure a livenessProbe
✓ Pass: Pod should not run with hostIPC
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pod should not run with the default service account
Asset: luna/postgresql-655d75f54b-btbzv
=======================================
Data queries:
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Pod, Kubernetes Cluster"
mondoo.version: "8.11.0"
platform.release: ""
platform.arch: ""
Checks:
✕ Fail: C 40 Container image pull should be consistent
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pods should mount any host path volumes as read-only
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should have an owner
. Unknown: Pods should not run Tiller (Helm v2)
✕ Fail: A 80 Container should request memory
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: B 70 Pod should not run with the default service account
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: D 20 Pods should not run with NET_RAW capability
✓ Pass: Pod should not run with hostNetwork
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Pod should not run with hostPID
✓ Pass: Container should not mount the containerd socket
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not allow privilege escalation
✕ Fail: A 80 Container should request CPU
✓ Pass: Pods should not bind to a host port
✕ Fail: F 0 Container should not run as root
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pods should not run with SYS_ADMIN capability
✓ Pass: Pod should not run with hostIPC
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: D 20 Container should use an immutable root filesystem
Asset: luna/postgresql-655d75f54b-qhhxv
=======================================
Data queries:
platform.release: ""
mondoo.version: "8.11.0"
platform.title: "Kubernetes Pod, Kubernetes Cluster"
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
Checks:
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pods should not bind to a host port
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Pods should not run with SYS_ADMIN capability
✕ Fail: F 0 Container should not run as root
✓ Pass: Pods should mount any host path volumes as read-only
✓ Pass: Container should not mount the Docker socket
✕ Fail: C 40 Container image pull should be consistent
. Unknown: Pods should not run Tiller (Helm v2)
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not define hostAliases
✓ Pass: Pod should not run with hostIPC
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: A 80 Container should request memory
✓ Pass: Container should not mount the containerd socket
✓ Pass: Workloads should not run in default namespace
✓ Pass: Pods should not bind to a host port
✓ Pass: Container should not run as a privileged container
✓ Pass: Pods should have an owner
✓ Pass: Container should not allow privilege escalation
✕ Fail: B 70 Pod should not run with the default service account
✕ Fail: A 80 Container should request CPU
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should not mount the CRI-O socket
✕ Fail: D 20 Pods should not run with NET_RAW capability
To see scan results in full detail, run:
cnspec scan k8s -o full
You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.
Test Kubernetes with the cnspec shell
The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
To launch a shell into your Kubernetes environment, enter:
cnspec shell k8s
cnquery automatically discovers all the Kubernetes assets available to query:
→ resolved assets resolved-assets=20
Available assets
8. luna/luna-frontend-7fb96c846b-2k5j7 (k8s-pod)
> 9. luna/luna-frontend-7fb96c846b-8b94j (k8s-pod)
10. luna/luna-frontend-7fb96c846b-jglt9 (k8s-pod)
11. kube-system/kube-controller-manager-minikube (k8s-pod)
12. kube-system/kube-proxy-cdzrr (k8s-pod)
13. kube-system/kube-scheduler-minikube (k8s-pod)
14. kube-system/storage-provisioner (k8s-pod)
•••
Arrow through the list and select Enter to choose the asset you want to explore.
Discover capabilities with the help
command
Once inside the shell, use the help
command to learn what Kubernetes resources you can test. This command lists all the Kubernetes resources:
help k8s
From the resulting list, you can drill down further. For example, enter this command to list all the Kubernetes service resources you can test:
help k8s.service
From the resulting list, you can drill down even further. You can also learn about available Kubernetes resources in the Mondoo Kubernetes (K8s) Resource Pack Reference.
Run tests in the cnspec shell
Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
Ensure that Pods aren't managed by HostAliases
This test assures that DNS entries aren't managed locally using /etc/hosts
within Pods:
k8s.pod { podSpec['hostAliases'] == null }
If the test passes (no Pods are managed using HostAliases) then cnspec returns ok
. If the test fails, (one or more Pods are managed using HostAliases) then cnspec provides details about the failure.
Test workload management
This test asserts that you don't run any workloads in the default namespace:
k8s.pods { namespace != "default" }
cnspec lists the individual Pod results:
k8s.pods: [
0: {
namespace != "default": false
}
1: {
namespace != "default": true
}
2: {
namespace != "default": true
}
3: {
namespace != "default": true
}
...
]
Specify fields to include in results
If you need more information in the results, specify the fields you want in braces. For example, this is the same test as above, but also asks for each Pod's ID, name, date created, and namespace:
k8s.pods { namespace != "default" id name created namespace }
cnspec returns detailed results like this:
k8s.pods: [
0: {
namespace: "default"
name: "coredns-565d847f94-zxkk2"
created: 2022-12-14 15:17:51 -0800 PST
id: "pod:kube-system:coredns-565d847f94-zxkk2"
namespace != "default": false
}
1: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-2k5j7"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-2k5j7"
namespace != "default": true
}
2: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-8b94j"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-8b94j"
namespace != "default": true
}
3: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-jglt9"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-jglt9"
namespace != "default": true
}
...
]
Learn more about writing tests against Kubernetes clusters
- To learn more about how the MQL query language works, read Write Effective MQL.
- For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.
Exit the cnspec shell
To exit the cnspec shell, either press Ctrl + D
or type exit
.
Next step
Now that you've scanned your Kubernetes environment and run tests using the cnquery shell, you're ready to dive deeper and test Kubernetes manifests.