post image January 6, 2022 | 1 min Read

Kubesec - Security risk analysis for Kubernetes resources

**Install kubesec as a binary to your box''

wget https://github.com/controlplaneio/kubesec/releases/download/v2.11.0/kubesec_linux_amd64.tar.gz
tar -xvzf kubesec_linux_amd64.tar.gz 
mv kubesec /usr/bin/kubesec
kubesec

**Scan your resources''

Examples:
  kubesec scan ./deployment.yaml
  cat file.json | kubesec scan -
  helm template -f values.yaml ./chart | kubesec scan /dev/stdin

**Simple usecase''

kubectl  run pod --image=nginx -oyaml --dry-run=client > file
cat file | kubesec  scan -o yaml -

[
  {
    "object": "Pod/pod.default",
    "valid": true,
    "fileName": "STDIN",
    "message": "Passed with a score of 0 points",
    "score": 0,
    "scoring": {
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
          "points": 3
        },
        {
          "id": "ServiceAccountName",
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
          "points": 3
        },
...

# another example 
cat node.yaml | kubesec  scan -o yaml - > /root/kubesec_report.json
author image

Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …

comments powered by Disqus