Supply Chain
Assess Kubernetes Manifests with cnspec
Scan Kubernetes manifests for security misconfigurations during development and in CI/CD pipelines.
Shift Kubernetes security left by scanning manifests before they ever reach a cluster. cnspec evaluates YAML manifests against the same policies you use on live clusters, so you can catch privilege escalations, missing resource limits, and other misconfigurations in pull requests and CI pipelines instead of in production.
Prerequisites
To scan Kubernetes manifests with cnspec, you must have:
- cnspec installed on your workstation
- Kubernetes manifest files (
.ymlor.yaml) on your local system to scan
Scan a Kubernetes manifest
Run:
cnspec scan k8s MANIFESTFILEFor MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:
cnspec scan k8s luna-postgres.ymlcnspec returns a report summarizing the scan results.
Show or hide example scan results.
→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=3
→ connecting to asset K8s Manifest luna-postgres (code)
██████████████████████████████████████████████████████████████████████████ 100% K8s Manifest luna-postgres
→ connecting to asset luna/postgresql (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset luna/postgresql-secondary (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-secondary
Asset: K8s Manifest luna-postgresql
===================================
Data queries:
mondoo.version: "8.11.0"
platform.title: "Kubernetes Manifest"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
Checks:
Asset: luna/postgresql
======================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
mondoo.version: "8.11.0"
platform.release: ""
Checks:
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Deployments should not run in the default namespace
✕ Fail: A 80 Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not allow privilege escalation
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a memory limit
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Deployments should mount any host path volumes as read-only
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Deployments should not bind to a host port
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should request memory
. Unknown: Deployments should not run Tiller (Helm v2)
✓ Pass: Container should not run as a privileged container
✓ Pass: Container should not mount the containerd socket
✕ Fail: A 80 Container should request CPU
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not run with the default service account
Asset: luna/postgresql-secondary
================================
Data queries:
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
platform.release: ""
Checks:
✓ Pass: Deployments should not run with SYS_ADMIN capability
✕ Fail: F 0 Container should not run as root
✕ Fail: A 80 Container should request memory
✓ Pass: Pod should not run with hostPID
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should not run as a privileged container
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pod should not run with the default service account
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Deployments should mount any host path volumes as read-only
. Unknown: Deployments should not run Tiller (Helm v2)
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should not allow privilege escalation
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Deployments should not bind to a host port
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: A 80 Container should request CPU
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socketTo see scan results in full detail, run:
cnspec scan k8s -o fullLearn more about testing Kubernetes
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.