Mondoo
Docs
Supply Chain

Secure Kustomize Overlays with cnspec

Scan Kustomize overlays for security misconfigurations before applying them to your Kubernetes clusters.

import IacScanOptions from './_iac-scan-options.mdx';

Catch insecure Kubernetes configurations before kubectl apply. cnspec parses kustomization.yaml files and the rendered kustomize build output, exposing patches, generators, image overrides, and Kubernetes resources as queryable MQL resources. The Kubernetes Security policy applies to the rendered resources, and you can use the Kustomize provider inside your own policies to enforce overlay-level standards.

Prerequisites

To scan Kustomize overlays with cnspec, you must have:

Scan Kustomize overlays

Scan a Kustomize overlay directory:

cnspec scan kustomize ./overlays/production

Example checks

Run cnspec shell kustomize ./overlays/production to open the interactive shell. From there you can make checks like the examples below.

List parsed kustomizations

kustomize.kustomizations { path namespace namePrefix nameSuffix }

Inspect image overrides

kustomize.kustomizations { images { name newName newTag digest } }

Find image overrides that pin a mutable tag instead of a digest

kustomize.kustomizations {
  images.where(digest == "" && (newTag == "latest" || newTag == ""))
}

Review patches applied by an overlay

kustomize.kustomizations { patches { path target { kind name namespace } } }

List ConfigMap and Secret generators

kustomize.kustomizations {
  configMapGenerators { name files literals }
  secretGenerators { name files literals }
}

List rendered Kubernetes resources

kustomize.kustomizations { resources { kind name namespace } }

Check that every Deployment sets resource limits

kustomize.kustomizations {
  resources.where(kind == "Deployment").all(
    manifest["spec"]["template"]["spec"]["containers"].all(
      _["resources"]["limits"] != null
    )
  )
}

Learn more

Kubernetes Manifests

Scan Kubernetes manifests for security misconfigurations during development and in CI/CD pipelines.

Packer

Build secure machine images by scanning Packer builds with cnspec.

On this page

PrerequisitesScan Kustomize overlaysExample checksList parsed kustomizationsInspect image overridesFind image overrides that pin a mutable tag instead of a digestReview patches applied by an overlayList ConfigMap and Secret generatorsList rendered Kubernetes resourcesCheck that every Deployment sets resource limitsLearn more