Assess Kustomize Overlay Security with cnspec

Use cnspec to scan Kustomize overlays for security misconfigurations and policy violations before applying them to your Kubernetes clusters. cnspec parses kustomization.yaml files and the rendered kustomize build output, exposing patches, generators, image overrides, and Kubernetes resources as queryable MQL resources.

Prerequisites

To scan Kustomize overlays with cnspec, you must have:

• cnspec installed on your workstation
• A Kustomize overlay directory containing a kustomization.yaml file

Scan Kustomize overlays

Scan a Kustomize overlay directory:

cnspec scan kustomize ./overlays/production

Scan options

Example checks

Run cnspec shell kustomize ./overlays/production to open the interactive shell. From there you can make checks like the examples below.

List parsed kustomizations

kustomize.kustomizations { path namespace namePrefix nameSuffix }

Inspect image overrides

kustomize.kustomizations { images { name newName newTag digest } }

Find image overrides that pin a mutable tag instead of a digest

kustomize.kustomizations {
  images.where(digest == "" && (newTag == "latest" || newTag == ""))
}

Review patches applied by an overlay

kustomize.kustomizations { patches { path target { kind name namespace } } }

List ConfigMap and Secret generators

kustomize.kustomizations {
  configMapGenerators { name files literals }
  secretGenerators { name files literals }
}

List rendered Kubernetes resources

kustomize.kustomizations { resources { kind name namespace } }

Check that every Deployment sets resource limits

kustomize.kustomizations {
  resources.where(kind == "Deployment").all(
    manifest["spec"]["template"]["spec"]["containers"].all(
      _["resources"]["limits"] != null
    )
  )
}

Learn more

• For the full MQL resource reference, see the MQL Kustomize provider documentation.

• To learn more about how the MQL query language works, read Write Effective MQL.