My Profile Photo

Stefan Prodan

DevOps Consultant. DX at Weaveworks. Passionate about Cloud Native tech. Loves programming in Go, JS and .NET

Scanning Kubernetes deployments with Kubesec

Kubectl-kubesec is a kubectl plugin for scanning Kubernetes deployments with


Download and extract the scan plugin to ~/.kube/plugins/scan:

mkdir -p ~/.kube/plugins/scan && \
curl -sL`uname -s`_amd64.tar.gz | tar xzvf - -C ~/.kube/plugins/scan


Scan a deployment:

kubectl -n kube-system plugin scan kubernetes-dashboard


kubernetes-dashboard score 7
1. containers[] .securityContext .runAsNonRoot == true
Force the running image to run as a non-root user to ensure least privilege
2. containers[] .securityContext .capabilities .drop
Reducing kernel capabilities available to a container limits its attack surface
3. containers[] .securityContext .readOnlyRootFilesystem == true
An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost
4. containers[] .securityContext .runAsUser > 10000
Run as a high-UID user to avoid conflicts with the host's user table
5. containers[] .securityContext .capabilities .drop | index("ALL")
Drop all capabilities and add only those required to reduce syscall attack surface
comments powered by Disqus