Secure Kustomize Overlays with cnspec
Scan Kustomize overlays for security misconfigurations before applying them to your Kubernetes clusters.
Catch insecure Kubernetes configurations before kubectl apply. cnspec parses kustomization.yaml files and the rendered kustomize build output, exposing patches, generators, image overrides, and Kubernetes resources as queryable MQL resources. The Kubernetes Security policy applies to the rendered resources, and you can use the Kustomize provider inside your own policies to enforce overlay-level standards.
This page is part of scanning your supply chain with cnspec. If you're new to cnspec, start with the Quickstart to install cnspec and run your first scan.
Prerequisites
To scan Kustomize overlays with cnspec, you must have:
- cnspec installed on your workstation
- A Kustomize overlay directory containing a
kustomization.yamlfile
Scan Kustomize overlays
Scan a Kustomize overlay directory:
cnspec scan kustomize ./overlays/productionScan options
| Option | Description |
|---|---|
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
Example checks
Run cnspec shell kustomize ./overlays/production to open the interactive shell. From there you can make checks like the examples below.
List parsed kustomizations
kustomize.kustomizations { path namespace namePrefix nameSuffix }Inspect image overrides
kustomize.kustomizations { images { name newName newTag digest } }Find image overrides that pin a mutable tag instead of a digest
kustomize.kustomizations {
images.where(digest == "" && (newTag == "latest" || newTag == ""))
}Review patches applied by an overlay
kustomize.kustomizations { patches { path target { kind name namespace } } }List ConfigMap and Secret generators
kustomize.kustomizations {
configMapGenerators { name files literals }
secretGenerators { name files literals }
}List rendered Kubernetes resources
kustomize.kustomizations { resources { kind name namespace } }Check that every Deployment sets resource limits
kustomize.kustomizations {
resources.where(kind == "Deployment").all(
manifest["spec"]["template"]["spec"]["containers"].all(
_["resources"]["limits"] != null
)
)
}Learn more
-
To scan raw Kubernetes manifests or Helm charts instead, read Secure Kubernetes Manifests with cnspec and Secure Helm Charts with cnspec.
-
The same policies that scan your overlays also scan live clusters. To close the loop, read Secure Kubernetes Clusters with cnspec.
-
For the full MQL resource reference, see the MQL Kustomize provider documentation.
-
To learn more about how the MQL query language works, read Write Effective MQL.