Supply Chain
Assess Kubernetes Manifests with cnspec
Scan Kubernetes manifests for security misconfigurations during development and in CI/CD pipelines.
Use cnspec to scan Kubernetes manifests for security and best practices. You can assess manifests using the same policies that you rely on for testing your live clusters.
To scan a Kubernetes manifest, you need a Kubernetes policy. If you haven't already downloaded the Kubernetes Security by Mondoo policy, do so now.
From the directory where you downloaded the policy, run:
cnspec scan k8s MANIFESTFILEFor MANIFESTFILE, substitute the path to the manifest file you want to scan. For example, run:
cnspec scan k8s luna-postgres.ymlcnspec returns a report summarizing the scan results.
Show or hide example scan results.
→ loaded configuration from /Users/user/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=3
→ connecting to asset K8s Manifest luna-postgres (code)
██████████████████████████████████████████████████████████████████████████ 100% K8s Manifest luna-postgres
→ connecting to asset luna/postgresql (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset luna/postgresql-secondary (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgresql-secondary
Asset: K8s Manifest luna-postgresql
===================================
Data queries:
mondoo.version: "8.11.0"
platform.title: "Kubernetes Manifest"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
Checks:
Asset: luna/postgresql
======================
Data queries:
platform.arch: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
mondoo.version: "8.11.0"
platform.release: ""
Checks:
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Deployments should not run in the default namespace
✕ Fail: A 80 Container should configure a livenessProbe
. Unknown: Pods should not run Kubernetes dashboard
✕ Fail: F 0 Container should not run as root
✓ Pass: Container should not allow privilege escalation
✕ Fail: C 40 Container image pull should be consistent
✕ Fail: A 80 Container should have a memory limit
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Pod should not run with hostIPC
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Deployments should not run with SYS_ADMIN capability
✓ Pass: Deployments should mount any host path volumes as read-only
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Deployments should not bind to a host port
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socket
✕ Fail: A 80 Container should request memory
. Unknown: Deployments should not run Tiller (Helm v2)
✓ Pass: Container should not run as a privileged container
✓ Pass: Container should not mount the containerd socket
✕ Fail: A 80 Container should request CPU
✓ Pass: Pod should not run with hostPID
✓ Pass: Pod should not run with the default service account
Asset: luna/postgresql-secondary
================================
Data queries:
mondoo.version: "8.11.0"
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
platform.title: "Kubernetes Deployment, Kubernetes Manifest File"
platform.release: ""
Checks:
✓ Pass: Deployments should not run with SYS_ADMIN capability
✕ Fail: F 0 Container should not run as root
✕ Fail: A 80 Container should request memory
✓ Pass: Pod should not run with hostPID
✕ Fail: A 80 Container should have a memory limit
✓ Pass: Pod should not run with hostNetwork
✓ Pass: Container should not mount the CRI-O socket
✓ Pass: Container should not run as a privileged container
. Unknown: Pods should not run Kubernetes dashboard
✓ Pass: Pod should not run with the default service account
✕ Fail: D 20 Container should use an immutable root filesystem
✓ Pass: Deployments should mount any host path volumes as read-only
. Unknown: Deployments should not run Tiller (Helm v2)
✕ Fail: A 80 Container should configure a readinessProbe
✕ Fail: A 80 Container should have a CPU limit
✓ Pass: Container should not allow privilege escalation
✕ Fail: D 20 Deployments should not run with NET_RAW capability
✕ Fail: C 40 Container image pull should be consistent
✓ Pass: Deployments should not bind to a host port
✕ Fail: A 80 Container should configure a livenessProbe
✕ Fail: A 80 Container should request CPU
✓ Pass: Deployments should not run in the default namespace
✓ Pass: Container should not mount the containerd socket
✓ Pass: Pod should not run with hostIPC
✓ Pass: Pod should not define hostAliases
✓ Pass: Container should not mount the Docker socketTo see scan results in full detail, run:
cnspec scan k8s -o fullLearn more about testing Kubernetes
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For a list of all the Kubernetes resources and fields you can query, read the Mondoo Kubernetes (K8s) Resource Pack Reference.