Kubernetes simplifies building and deploying apps via containerization, but securing your pods and containers is a different challenge.
Kubernetes provides basic IP-based security for each pod, but securing your clusters requires more—network policies, access policies for individual pods, RBAC, namespace access policies, and so on.
However, many open-source tools and plugins can help manage these issues.
Let's explore some of the most useful ones:
1. Kube bench (⭐: 6,977 +)
Kube-bench is a tool that checks Kubernetes clusters for compliance with security best practices, based on the CIS Kubernetes Benchmark. It helps identify vulnerabilities and misconfigs, providing detailed reports for remediation.
YAML-based test configuration allows easy updates as specs evolve.
kube-bench auto-selects tests for the node's Kubernetes version.
2. Stern (⭐: 3,265 +)
Stern allows you to tail multiple pods and containers in Kubernetes, with color-coded log results for faster debugging.
Filters pods with regex or /, no exact pod IDs needed.
Tails all pod containers by default, but you can limit with the container flag.
Auto-removes deleted pods, and adds new ones as created.
3. Kubescore (⭐: 2,750 +)
Kube-score is a tool that performs static code analysis of your Kubernetes object definitions, checking them against best practices to ensure proper configurations.
Evaluates resource definitions like Deployments, Services, and Ingresses for misconfigs.
Supports CRD validation, checks labels, resource limits, and other key configs.
Provides a score based on best practices and highlights issues.
4. Kubiscan (⭐: 1,313 +)
KubiScan is a tool for scanning Kubernetes clusters for risky permissions in the RBAC authorization model.
- Identify risky Pods\Containers
- Identify risky Roles\ClusterRoles
- Identify risky RoleBindings\ClusterRoleBindings
- Identify risky Subjects (Users, Groups and ServiceAccounts)
- Dump tokens from pods (all or by namespace)
- CVE scan
5. Rakkess (⭐: 1,300 +)
Rakkess is a kubectl plugin designed to show an access matrix for Kubernetes server resources, helping visualize and audit permissions.
- Shows who can access Kubernetes resources and their actions.
- Audits RBAC permissions for users, groups, and service accounts in a clear matrix view.
- Supports CI/CD integration for continuous RBAC audits.
Remember, we are only as strong as the weakest link.