kubeaudit: audit Kubernetes clusters for various different security concerns

kubeaudit

kubeaudit is a command-line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:

  • run as non-root
  • use a read-only root filesystem
  • drop scary capabilities, don’t add new ones
  • don’t run privileged
  • and more!

Package kubeaudit provides methods to find and fix security issues in Kubernetes resources.

 

audit Kubernetes clusters

Modes

Kubeaudit supports three different modes. The mode used depends on the audit method used.

1. Manifest mode: Audit a manifest file

2. Local mode: Audit resources in a local kubeconfig file

3. Cluster mode: Audit resources in a running cluster (kubeaudit must be invoked from a container within the cluster)

In manifest mode, kubeaudit can automatically fix security issues.

Audit Results

Kubeaudit produces results with three levels of severity:

Error: A security issue or invalid kubernetes configuration Warning: A best practice recommendation Info: Informational, no action required. This includes results that are overridden

The minimum severity level can be set using the –minSeverity/-m flag.

By default, kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the –format json flag. To output results as logs (the previous default) use –format logrus.

If there are results of severity level error, kubeaudit will exit with exit code 2. This can be changed using the –exitcode/-e flag.

For all the ways kubeaudit can be customized, see Global Flags.

Install & Use

Copyright 2017 Shopify Inc.