Assess a Kubernetes Manifest

Use cnspec to scan Kubernetes manifests for security and best practices. You can assess manifests using the same policies that you rely on for testing your live clusters.

To scan a Kubernetes manifest, you need a Kubernetes policy. If you haven't already downloaded the Kubernetes Security by Mondoo policy, do so now.

From the directory where you downloaded the policy, run:

cnspec scan k8s MANIFESTFILE

For MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:

cnspec scan k8s luna-postgres.yml

cnspec returns a report summarizing the scan results.

Show or hide example scan results.

→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=3
→ connecting to asset K8s Manifest luna-postgres (code)

██████████████████████████████████████████████████████████████████████████ 100% K8s Manifest luna-postgres
→ connecting to asset luna/postgresql (k8s-object)

███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset luna/postgresql-secondary (k8s-object)

███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-secondary


Asset: K8s Manifest luna-postgresql
===================================
Data queries:
mondoo.version: "8.11.0"
platform.title: "Kubernetes Manifest"
platform.release: ""
mondoo.jobEnvironment: {
  id: "client.mondoo.com"
  name: "Mondoo Client"
}
platform.arch: ""

Checks:

Asset: luna/postgresql
======================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
  id: "client.mondoo.com"
  name: "Mondoo Client"
}
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
mondoo.version: "8.11.0"
platform.release: ""

Checks:
✓ Pass:  Pod should not run with hostNetwork
✓ Pass:  Deployments should not run in the default namespace
✕ Fail:  A  80  Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail:  F   0  Container should not run as root
✓ Pass:  Container should not allow privilege escalation
✕ Fail:  C  40  Container image pull should be consistent
✕ Fail:  A  80  Container should have a memory limit
✕ Fail:  D  20  Container should use an immutable root filesystem
✓ Pass:  Pod should not run with hostIPC
✕ Fail:  A  80  Container should configure a readinessProbe
✕ Fail:  D  20  Deployments should not run with NET_RAW capability
✓ Pass:  Container should not mount the CRI-O socket
✓ Pass:  Deployments should not run with SYS_ADMIN capability
✓ Pass:  Deployments should mount any host path volumes as read-only
✕ Fail:  A  80  Container should have a CPU limit
✓ Pass:  Deployments should not bind to a host port
✓ Pass:  Pod should not define hostAliases
✓ Pass:  Container should not mount the Docker socket
✕ Fail:  A  80  Container should request memory
. Unknown: Deployments should not run Tiller (Helm v2)
✓ Pass:  Container should not run as a privileged container
✓ Pass:  Container should not mount the containerd socket
✕ Fail:  A  80  Container should request CPU
✓ Pass:  Pod should not run with hostPID
✓ Pass:  Pod should not run with the default service account

Asset: luna/postgresql-secondary
================================
Data queries:
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
  id: "client.mondoo.com"
  name: "Mondoo Client"
}
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
platform.release: ""

Checks:
✓ Pass:  Deployments should not run with SYS_ADMIN capability
✕ Fail:  F   0  Container should not run as root
✕ Fail:  A  80  Container should request memory
✓ Pass:  Pod should not run with hostPID
✕ Fail:  A  80  Container should have a memory limit
✓ Pass:  Pod should not run with hostNetwork
✓ Pass:  Container should not mount the CRI-O socket
✓ Pass:  Container should not run as a privileged container
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass:  Pod should not run with the default service account
✕ Fail:  D  20  Container should use an immutable root filesystem
✓ Pass:  Deployments should mount any host path volumes as read-only
. Unknown: Deployments should not run Tiller (Helm v2)
✕ Fail:  A  80  Container should configure a readinessProbe
✕ Fail:  A  80  Container should have a CPU limit
✓ Pass:  Container should not allow privilege escalation
✕ Fail:  D  20  Deployments should not run with NET_RAW capability
✕ Fail:  C  40  Container image pull should be consistent
✓ Pass:  Deployments should not bind to a host port
✕ Fail:  A  80  Container should configure a livenessProbe
✕ Fail:  A  80  Container should request CPU
✓ Pass:  Deployments should not run in the default namespace
✓ Pass:  Container should not mount the containerd socket
✓ Pass:  Pod should not run with hostIPC
✓ Pass:  Pod should not define hostAliases
✓ Pass:  Container should not mount the Docker socket

tip

To see scan results in full detail, run:

cnspec scan k8s -o full

Learn more about testing Kubernetes

To learn more about how the MQL query language works, read Write Effective MQL.
For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.

Learn more about testing Kubernetes​

Learn more about testing Kubernetes