DevSecOps - Kubernetes DevOps & Security

DevSecOps Pipeline

Kubesec Basics

KubeSec is an open-source Kubernetes security scanner and analysis tool that inspects your manifests for common exploitable risks—such as privilege escalation and writable host mounts—and assigns a security score to each vulnerability found. You can feed it a single YAML file containing one or more Kubernetes resources, and it will return both a numerical score and actionable recommendations.

The image is a presentation slide about Kubesec, an open-source Kubernetes security scanner and analysis tool, detailing its features and availability. It includes a brief description of its functionality and formats in which it can be used.

Key Features

  • Security Scoring: Assigns points based on passed checks and best-practice recommendations.
  • Multi-Resource Support: Scan a single YAML with multiple objects.
  • Flexible Deployment: Use as a CLI binary, Docker image, Admission Controller, kubectl plugin, or REST API.
Installation MethodUse CaseExample Command
Standalone BinaryLocal inspectionscurl -sL https://kubesec.io/install.sh | bash
Docker ImageCI/CD integration, containerizeddocker run -i kubesec/kubesec:v2 scan /dev/stdin
Kubernetes Admission CtrlEnforce policies at admissionkubectl apply -f admission-controller.yaml
kubectl PluginScan manifests with kubectlkubectl kubesec scan deployment.yaml
REST APIProgrammatic scanningcurl -sSX POST --data-binary @"file.yaml"

Note

KubeSec supports multi-document YAML files. Separate resources with --- in the same file and scan them together.


Example: Scanning a Pod Manifest

Below is a sample Pod specification that enforces a read-only root filesystem:

apiVersion: v1
kind: Pod
metadata:
  name: kubesec-demo
spec:
  containers:
    - name: kubesec-demo
      image: gcr.io/google-samples/node-hello:1.0
      securityContext:
        readOnlyRootFilesystem: true

Scan via Docker

docker run -i kubesec/kubesec:v2 scan /dev/stdin < pod.yaml

Scan via REST API

curl -sSX POST --data-binary @"pod.yaml" https://v2.kubesec.io/scan

Warning

If you expose the REST endpoint publicly, ensure you protect it behind authentication or a firewall to prevent misuse.


Sample JSON Response

The scanner returns a JSON object with your resource’s score and specific advisories:

{
  "object": "Pod/kubesec-demo.default",
  "valid": true,
  "fileName": "API",
  "message": "Passed with a score of 1 points",
  "score": 1,
  "scoring": {
    "passed": [
      {
        "id": "ReadOnlyRootFilesystem",
        "selector": "containers[0].securityContext.readOnlyRootFilesystem",
        "reason": "An immutable root filesystem can prevent malicious activity"
      }
    ],
    "advise": [
      {
        "id": "ServiceAccountName",
        "selector": ".spec.serviceAccountName",
        "reason": "Service accounts restrict Kubernetes API access and should be specified",
        "points": 3
      }
    ]
  }
}
  • passed: Checks that succeeded and earned points.
  • advise: Recommendations to improve the security posture, along with points you can earn.

What’s Next

Now that you’ve seen how to scan a simple Pod, let’s apply KubeSec to a more complex Deployment resource and review deeper recommendations.

Watch Video

Watch video content

Previous
Demo Kubernetes Deployment Rollout