Assess a Kubernetes Cluster
Once you've ensured that cnspec can access your Kubernetes environment, you can begin testing. The method you choose depends on your goals:
- For widescale assessment of your Kubernetes infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your Kubernetes security posture.
- To run ad hoc checks against your Kubernetes environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Assess Kubernetes security with policy-based scanning
The Kubernetes Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Kubernetes security best practices. It checks for misconfigurations across your entire Kubernetes infrastructure.
To scan using the Kubernetes Security by Mondoo policy, run:
cnspec scan k8s
cnspec finds the default policy for Kubernetes and runs a scan based on that policy. It returns a report summarizing the scan results:
Show or hide example scan results.
→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ use cluster name from kube config cluster-name=minikube
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=20
→ connecting to asset K8s Cluster minikube (api)
███████████████ ████████████████████████████████████████████████████████████ 100% K8s Cluster minikube
→ connecting to asset kube-system/coredns (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/coredns
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
→ connecting to asset luna/postgres (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset kube-system/coredns-565d847f94-zxkk2 (k8s-object)
█████████████████████████████████████ ███████████████████████████ 100% kube-system/coredns-565d847f94-zxkk2
→ connecting to asset kube-system/etcd-minikube (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/etcd-minikube
→ connecting to asset kube-system/kube-apiserver-minikube (k8s-object)
█████████████████████████████████████████████████████████████████ 100% kube-system/kube-apiserver-minikube
→ connecting to asset kube-system/kube-controller-manager-minikube (k8s-object)
████████████████████████████████████████████████████████ 100% kube-system/kube-controller-manager-minikube
→ connecting to asset kube-system/kube-proxy-cdzrr (k8s-object)
████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy-cdzrr
→ connecting to asset kube-system/kube-scheduler-minikube (k8s-object)
█████████████████████████████████████████████████████████████████ 100% kube-system/kube-scheduler-minikube
→ connecting to asset kube-system/storage-provisioner (k8s-object)
█████████████████████████████████████████████████████████████████████ 100% kube-system/storage-provisioner
→ connecting to asset luna/luna-frontend-7fb96c846b-2k5j7 (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-2k5j7
→ connecting to asset luna/luna-frontend-7fb96c846b-8b94j (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-8b94j
→ connecting to asset luna/luna-frontend-7fb96c846b-jglt9 (k8s-object)
█████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b-jglt9
→ connecting to asset luna/postgresql-655d75f54b-btbzv (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-btbzv
→ connecting to asset luna/postgresql-655d75f54b-qhhxv (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% luna/postgresql-655d75f54b-qhhxv
→ connecting to asset kube-system/kube-proxy (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/kube-proxy
→ connecting to asset kube-system/coredns-565d847f94 (k8s-object)
██████████████████████████████████████████████████████████████████████ 100% kube-system/coredns-565d847f94
→ connecting to asset luna/luna-frontend-7fb96c846b (k8s-object)
███████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend-7fb96c846b
→ connecting to asset luna/postgresql-655d75f54b (k8s-object)
████████████████████████████████████████████████████ ███████████████████████ 100% luna/postgresql-655d75f54b
Asset: K8s Cluster minikube
===========================
Data queries:
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.title: "Kubernetes Cluster"
platform.arch: "linux/arm64"
platform.release: "v1.25.3"
Checks:
Asset: kube-system/coredns
==========================
Data queries:
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
Checks:
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not run with hostPID
✓ Pass: Deployments should not bind to a host port
✓ Pass: Deployments should not run with NET_RAW capability
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should request memory
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should request CPU
✓ Pass: Pod should not define hostAliases
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should not mount the containerd socket
✕ Fail: F 0 Container should not run as root
✓ Pass: Pod should not run with the default service account
✓ Pass: Container should not allow privilege escalation
✓ Pass: Deployments should mount any host path volumes as read-only
✓ Pass: Deployments should not run Tiller (Helm v2)
✓ Pass: Container should use an immutable root filesystem
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should not run as a privileged container
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Pod should not run with hostNetwork
Asset: kube-system/coredns-565d847f94
=====================================
Data queries:
platform.title: "Kubernetes ReplicaSet, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.arch: ""
Checks:
✓ Pass: Container should request CPU
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should configure a livenessProbe
✓ Pass: Pod should not run with hostIPC
✓ Pass: ReplicaSets should not bind to a host port
✓ Pass: ReplicaSets should not run with NET_RAW capability
✓ Pass: Container should have a memory limit
✓ Pass: Container should not allow privilege escalation
✓ Pass: ReplicaSets should mount any host path volumes as read-only
✓ Pass: Container should use an immutable root filesystem
✓ Pass: Container should not run as a privileged container
✓ Pass: Pod should not run with the default service account
✓ Pass: Pod should not run with hostPID
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: ReplicaSets should not run in the default namespace
✕ Fail: F 0 Container should not run as root