Running kubesec.io
Kubesec quantifies risk for Kubernetes resources by validating the configuration files and manifest files used for Kubernetes deployments and operations.
How to run kubesec
- Replace the
${FILE}
with the filename which you want to perform the scan
cd /data/kubesec
curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"${FILE}"
- Run for the
insecuredeployment.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
privileged: true
readOnlyRootFilesystem: true
curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"insecuredeployment.yaml"
- Run for the
securedeployment.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsNonRoot: true
capabilities:
drop: ["ALL"]
add: ["NET_ADMIN", "SYS_TIME"]
readOnlyRootFilesystem: true
runAsUser: 100000
resources:
requsts:
cpu: 20m
memory: 30Mi
limits:
cpu: 10m
memory: 20Mi
curl --silent --compressed --connect-timeout 5 https://kubesec.io -F file=@"securedeployment.yaml"