kubesec: Security risk analysis for Kubernetes resources
kubesec
Security risk analysis for Kubernetes resources
Download
Kubesec is available as a:
- Docker container image at docker.io/kubesec/kubesec:v2
- Linux/MacOS/Win binary (get the latest release)
- Kubernetes Admission Controller
- Kubectl plugin
Or install the latest commit from Github with go get -u github.com/controlplaneio/kubesec/cmd/kubesec
Command-line usage:
$ kubesec scan k8s-deployment.yaml
Usage example:
Docker usage:
Run the same command in Docker:
$ docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
Kubesec HTTP Server
Kubesec includes a bundled HTTP server
CLI usage example:
Start the HTTP server in the background
Use curl to POST a file to the server
Finally, stop the Kubesec server by killing the background process
$ kill %
Docker usage example:
Start the HTTP server using Docker
$ docker run -d -p 8080:8080 kubesec/kubesec:d432be9 http 8080
Use curl to POST a file to the server
$ curl -sSX POST –data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan …
Don’t forget to stop the server.
Kubesec-as-a-Service
Kubesec is also available via HTTPS at v2.kubesec.io/scan
Command-line usage:
$ curl -sSX POST –data-binary @“k8s-deployment.yaml“ https://v2.kubesec.io/scan
Usage example:
Define a BASH function
POST a Kubernetes resource to v2.kubesec.io/scan
$ kubesec ./deployment.yml
Return non-zero status code is the score is not greater than 10
$ kubesec ./score-9-deployment.yml | jq –exit-status ‘.score > 10‘ >/dev/null # status code 1
Example output
Kubesec returns a JSON array and can scan multiple YAML documents in a single input file.
Copyright 2017 control-plane.io
