Secure Kubernetes Manifests with cnspec
Scan Kubernetes manifests for security misconfigurations during development and in CI/CD pipelines.
Shift Kubernetes security left by scanning manifests before they ever reach a cluster. cnspec evaluates YAML manifests against the same policies you use on live clusters, so you can catch privilege escalations, missing resource limits, and other misconfigurations in pull requests and CI pipelines instead of in production.
Prerequisites
To scan Kubernetes manifests with cnspec, you must have:
- cnspec installed on your workstation
- Kubernetes manifest files (
.ymlor.yaml) on your local system to scan
Scan a Kubernetes manifest
Run:
cnspec scan k8s MANIFESTFILEFor MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:
cnspec scan k8s luna-postgres.ymlcnspec returns a report summarizing the scan results:
Show or hide example scan results
→ discover related assets for 1 asset(s)
→ discovery option auto detected: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=3
→ connecting to asset K8s Manifest luna-postgres (code)
→ connecting to asset luna/postgresql (k8s-object)
→ connecting to asset luna/postgresql-secondary (k8s-object)
Asset: luna/postgresql
======================
Checks:
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Deployments should not run in the default namespace
✕ Fail: A 80 Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not allow privilege escalation
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a memory limit
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should configure a readinessProbe
✓ Pass: Container should not mount the CRI-O socket
Summary
=======
Score: B 72/100To see scan results in full detail, run:
cnspec scan k8s -o fullLearn more about testing Kubernetes
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.