Secure Kubernetes Manifests with cnspec

Shift Kubernetes security left by scanning manifests before they ever reach a cluster. cnspec evaluates YAML manifests against the same policies you use on live clusters, so you can catch privilege escalations, missing resource limits, and other misconfigurations in pull requests and CI pipelines instead of in production.

This page is part of scanning your supply chain with cnspec. If you're new to cnspec, start with the Quickstart to install cnspec and run your first scan.

Prerequisites

To scan Kubernetes manifests with cnspec, you must have:

• cnspec installed on your workstation
• Kubernetes manifest files (.yml or .yaml) on your local system to scan

Scan a Kubernetes manifest

Run:

cnspec scan k8s MANIFESTFILE

For MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:

cnspec scan k8s luna-postgres.yml

cnspec returns a report summarizing the scan results:

→ discover related assets for 1 asset(s)
→ discovery option auto detected: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=3
→ connecting to asset K8s Manifest luna-postgres (code)
→ connecting to asset luna/postgresql (k8s-object)
→ connecting to asset luna/postgresql-secondary (k8s-object)

Asset: luna/postgresql
======================
Checks:
✓ Pass:  Pod should not run with hostNetwork
✓ Pass:  Deployments should not run in the default namespace
✕ Fail:  A  80  Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail:  F   0  Container should not run as root
✓ Pass:  Container should not allow privilege escalation
✕ Fail:  C  40  Container image pull should be consistent
✕ Fail:  A  80  Container should have a memory limit
✕ Fail:  D  20  Container should use an immutable root filesystem
✓ Pass:  Pod should not run with hostIPC
✕ Fail:  A  80  Container should configure a readinessProbe
✓ Pass:  Container should not mount the CRI-O socket

Summary
=======
Score: B  72/100

cnspec scan k8s -o full

To control the output format or send results to a file or CI system, read Report Results.

Learn more about testing Kubernetes

• The same policies that scan your manifests also scan live clusters. To close the loop, read Secure Kubernetes Clusters with cnspec.

• To scan Helm charts or Kustomize overlays instead of raw manifests, read Secure Helm Charts with cnspec and Secure Kustomize Overlays with cnspec.

• To learn more about how the MQL query language works, read Write Effective MQL.

• For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.