Assess Kubernetes Security with cnspec
Assess the security and compliance of your Kubernetes clusters using cnspec policy-based scanning and the interactive shell.
cnspec assesses your full Kubernetes environment for misconfigurations that put your organization at risk. You can scan your Kubernetes clusters for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.
You can also scan Kubernetes manifests to catch misconfigurations. Integrating manifest scanning in your development process can eliminate risks before they reach production.
For a list of Kubernetes resources you can test, read Mondoo Kubernetes (k8s) Resource Pack Reference and Mondoo Core Resource Pack Reference.
Before you begin
To test your Kubernetes environment with cnspec, you must have:
- cnspec installed on your workstation.
- kubectl installed on your workstation. To ensure that kubectl is successfully installed and you can access your Kubernetes infrastructure, run
kubectl describe nodes.
Verify with a quick Kubernetes check
To quickly confirm that cnspec has access to your Kubernetes environment, run this check from your terminal:
cnspec run k8s -c 'k8s.deployment.uid != "foo"'This asserts that none of your deployments are named foo. cnspec returns a report listing your deployments. For each, it indicates whether the deployment meets the requirement (not named foo):
[passed] k8s.deployment.uid != "foo"
[ok] value: "057e7351-5738-4d3b-bd5f-46d86403c563"
[ok] value: "8038b1f4-020d-4f3f-a1da-8ec86044b9d7"
[ok] value: "aadd280e-4498-4071-8fd0-1fad781a2d07"Assess Kubernetes security with policy-based scanning
The Kubernetes Security by Mondoo policy is available to all in Mondoo's cnspec GitHub repo. This collection of tests evaluates how well your environment follows fundamental Kubernetes security best practices. It checks for misconfigurations across your entire Kubernetes infrastructure.
To scan using the Kubernetes Security by Mondoo policy, run:
cnspec scan k8scnspec finds the default policy for Kubernetes and runs a scan based on that policy. It returns a report summarizing the scan results:
→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ use cluster name from kube config cluster-name=minikube
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=20
→ connecting to asset K8s Cluster minikube (api)
███████████████████████████████████████████████████████████████████████████ 100% K8s Cluster minikube
→ connecting to asset kube-system/coredns (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/coredns
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
→ connecting to asset luna/postgres (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
Asset: K8s Cluster minikube
===========================
Data queries:
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
platform.title: "Kubernetes Cluster"
platform.arch: "linux/arm64"
platform.release: "v1.25.3"
Checks:
Asset: kube-system/coredns
==========================
Data queries:
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
mondoo.version: "8.11.0"
Checks:
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not run with hostPID
✓ Pass: Deployments should not bind to a host port
✓ Pass: Deployments should not run with NET_RAW capability
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should request memory
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Container should configure a readinessProbe
✓ Pass: Container should request CPU
✓ Pass: Pod should not define hostAliases
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Container should not mount the containerd socket
✕ Fail: F 0 Container should not run as root
✓ Pass: Pod should not run with the default service account
✓ Pass: Container should not allow privilege escalation
✓ Pass: Deployments should mount any host path volumes as read-only
✓ Pass: Deployments should not run Tiller (Helm v2)
✓ Pass: Container should use an immutable root filesystem
✓ Pass: Container should not mount the Docker socket
✓ Pass: Container should not run as a privileged container
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Pod should not run with hostNetworkimport { Callout } from 'fumadocs-ui/components/callout';
cnspec scan k8s -o fullTest Kubernetes with the cnspec shell
The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
To launch a shell into your Kubernetes environment, enter:
cnspec shell k8scnspec automatically discovers all the Kubernetes assets available to query:
→ resolved assets resolved-assets=20
Available assets
8. luna/luna-frontend-7fb96c846b-2k5j7 (k8s-pod)
> 9. luna/luna-frontend-7fb96c846b-8b94j (k8s-pod)
10. luna/luna-frontend-7fb96c846b-jglt9 (k8s-pod)
11. kube-system/kube-controller-manager-minikube (k8s-pod)
12. kube-system/kube-proxy-cdzrr (k8s-pod)
13. kube-system/kube-scheduler-minikube (k8s-pod)
14. kube-system/storage-provisioner (k8s-pod)
•••Arrow through the list and select Enter to choose the asset you want to explore.
Discover capabilities with the help command
Once inside the shell, use the help command to learn what Kubernetes resources you can test. This command lists all the Kubernetes resources:
help k8sFrom the resulting list, you can drill down further. For example, enter this command to list all the Kubernetes service resources you can test:
help k8s.serviceFrom the resulting list, you can drill down even further. You can also learn about available Kubernetes resources in the Mondoo Kubernetes (K8s) Resource Pack Reference.
Run tests in the cnspec shell
Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
Ensure that Pods aren't managed by HostAliases
This test asserts that DNS entries aren't managed locally using /etc/hosts within Pods:
k8s.pod { podSpec['hostAliases'] == null }If the test passes (no Pods are managed using HostAliases) then cnspec returns ok. If the test fails, (one or more Pods are managed using HostAliases) then cnspec provides details about the failure.
Test workload management
This test asserts that you don't run any workloads in the default namespace:
k8s.pods { namespace != "default" }cnspec lists the individual Pod results:
k8s.pods: [
0: {
namespace != "default": false
}
1: {
namespace != "default": true
}
2: {
namespace != "default": true
}
3: {
namespace != "default": true
}
...
]Specify fields to include in results
If you need more information in the results, specify the fields you want in braces. For example, this is the same test as above, but also asks for each Pod's ID, name, date created, and namespace:
k8s.pods { namespace != "default" id name created namespace }cnspec returns detailed results like this:
k8s.pods: [
0: {
namespace: "default"
name: "coredns-565d847f94-zxkk2"
created: 2022-12-14 15:17:51 -0800 PST
id: "pod:kube-system:coredns-565d847f94-zxkk2"
namespace != "default": false
}
1: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-2k5j7"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-2k5j7"
namespace != "default": true
}
2: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-8b94j"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-8b94j"
namespace != "default": true
}
3: {
namespace: "luna"
name: "luna-frontend-7fb96c846b-jglt9"
created: 2022-12-14 15:28:23 -0800 PST
id: "pod:luna:luna-frontend-7fb96c846b-jglt9"
namespace != "default": true
}
...
]Exit the cnspec shell
To exit the cnspec shell, either press Ctrl + D or type exit.
Learn more
- To learn more about how the MQL query language works, read Write Effective MQL.
- For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.
- To learn about scanning Kubernetes manifests, read Assess Kubernetes Manifests.