8 Kubernetes Scanners to find Security Vulnerability and Misconfiguration

default image
![Kubernetes logo](*Vm_Iy8d8alpf4iJWCO2DhQ.png)

Hi there! As a long-time technology geek and Kubernetes expert, I‘m excited to dive into this comprehensive guide on securing your Kubernetes clusters.

With incidents like the Tesla crypto-mining hack bringing Kubernetes security risks to the spotlight, it‘s more important than ever to lock down your clusters. The dynamic nature of containers and complexity of Kubernetes makes it prone to misconfigurations and vulnerabilities.

That‘s where specialized scanners come in – they continuously scan your Kubernetes environments to identify risks before hackers exploit them. I‘ll be sharing my views on 8 open source scanners that I believe provide robust Kubernetes security.

But first, let‘s look at some key factors that make Kubernetes scanner essential:

Why Continuous Scanning is Crucial for Kubernetes

  • Kubernetes adoption is exploding: According to Red Hat, usage has grown over 300% from 2018 to 2020 with 84% of organizations now using Kubernetes. More usage means more attack surface for hackers.

  • Complex architectures: Between dynamic containers, microservices and automation, Kubernetes environments are complex. This complexity increases the chances of misconfigurations.

  • Frequent changes: With CI/CD pipelines spinning up new containerized workloads frequently, things can change rapidly. You need 24×7 visibility to keep up.

  • Shortage of security skills: Most teams lack specialized skills to secure Kubernetes properly. Scanners act as an extra security team member providing expert knowledge.

  • Runtime risks: Issues like exposed dashboards, vulnerable images, excessive permissions etc. require runtime analysis. Scanners provide continuous runtime security monitoring.

Let‘s now explore 8 capable open source scanners that can significantly boost your Kubernetes security.

8 Open Source Kubernetes Scanners

1. Kube-Hunter

Kube-hunter is an open source Kubernetes scanner designed to hunt for security weaknesses. It performs various tests to identify misconfigurations and security flaws in your clusters.

As a dynamic reconnaissance tool, some key features I like about kube-hunter:

  • Simulation of real attacks: It runs exploitation scenarios to check for risks like unsecured dashboards, lateral movement through exposed services, etc.

  • Network-based scans: It can run on your laptop and scan the Kubernetes cluster over the network for weaknesses.

  • No modifications required: Kube-hunter non-intrusively scans your live production clusters without needing any mods.

  • Clear reporting: It generates a full report describing all vulnerabilities discovered during the tests.

I‘ve used kube-hunter on multiple clusters and found it reliably uncovers critical issues like anonymous authentication enabled on the API server, RBAC misconfigurations, exposed alpha APIs etc. It‘s one of the first scanners I run on a new cluster.

2. Kube-Bench

Kube-bench checks whether Kubernetes is deployed according to security best practices defined in the CIS (Center for Internet Security) Kubernetes Benchmark.

It‘s one of my favorite tools for checking cluster security posture against Kubernetes hardening guidance:

  • Covers 100+ checks: Tests for critical aspects like network policies, TLS settings, RBAC, sysctls, node restrictions etc.

  • Easy customization: You can choose which specific checks to run based on your needs.

  • Clear reporting: Generates a master report showing passed/failed tests with detailed debugging info.

  • Remediation guidance: Tells you exactly how to fix failed tests to improve your security grade.

Running kube-bench regularly helps ensure any new changes or addons comply with Kubernetes security best practices endorsed by CIS.

3. Checkov

Checkov is a static analysis tool I highly recommend for catching misconfigurations early in your CI/CD pipelines. It scans infrastructure as code templates to detect security risks before provisioning real resources.

Here‘s what I like about using Checkov:

  • Broad coverage: Single tool to scan Terraform, CloudFormation, Kubernetes YAML, Dockerfiles, Serverless configs, and more.

  • Embedded knowledge: 500+ built-in policies covering security best practices for major platforms. Always up-to-date.

  • Developer-centric: Integrates into developer workflows seamlessly. Runs fast enough to not slow down pipelines.

  • Prevents drift: By fixing insecure settings in code, you ensure security hardening remains intact as environments scale rapidly.

Checkov excels at preventing insecure infrastructure as code from leaving developer laptops. For Kubernetes specifically, it has 150+ checks covering RBAC, network policies, pod security contexts, and other aspects.


MKIT (Managed Kubernetes Inspection Tool) is purpose-built for scanning managed Kubernetes services like AKS, EKS and GKE.

As a read-only scanner optimized for managed Kubernetes, here‘s what I like about MKIT:

  • Quick setup: Very easy deployment since it runs completely outside your clusters and uses read-only APIs.

  • Managed focus: Checks tuned for common misconfigurations in managed Kubernetes like excessively permissive pod/container settings.

  • Intuitive interface: Web UI prominently highlights failed checks and lets you drill down into affected resources.

  • Read-only: Since it uses only read-access, you can safely run MKIT scans on production clusters without concerns.

Overall, MKIT serves as an efficient Kubernetes security validator for organizations using managed services like AKS or EKS. It‘s a fast way to get visibility on initial posture and incremental drift.

5. Kubei

Kubei is an open source scanner focused on runtime security of Kubernetes clusters. It‘s designed to provide continuous visibility into risks like:

  • Vulnerable container images: Checks images deployed in cluster against CVE database using Docker API.

  • Sensitive mounts: Detects use of unsafe hostPath, secret, configMap mounts in containers.

  • Network exposures: Identifies insecure ingress/egress traffic flows via firewall rules.

  • Privilege escalations: Spots unnecessary privileges granted via bind mounts, capabilities, SELinux policies etc.

Kubei presents findings in an intuitive way through a graphical interface showing high/medium/low risks and remediation. It lets you customize scans based on risk severity, speed, integrations etc.

6. Kube-Scan

Kube-scan takes a unique approach of assigning risk scores (0-10) to Kubernetes workloads based on posture.

Here are some interesting aspects of kube-scan:

  • Risk scoring: Uses the KCCSS model to quantify risk levels based on factors like exposures, privileges, vulnerabilities, compliance violations etc.

  • Continuous analysis: Runs inside the cluster and rescans workloads frequently to detect any changes in risk levels.

  • Actionable UI: Web interface highlights highest risk workloads and lets you drill down into factors impacting the score.

  • Risk benchmarks: Lets you define score thresholds that trigger automated alerts and workflows.

Kube-scan simplifies Kubernetes security risk management by translating complex findings into an intuitive 0-10 score. This empowers administrators to focus on high-risk clusters and measure security improvements over time.

7. Kubeaudit

Kubeaudit is an open source tool I recommend running regularly to audit your Kubernetes clusters against security best practices.

These are some key reasons I like kubeaudit:

  • Focused auditing: Scans specifically for security best practices like dropping unnecessary capabilities, readOnlyRootFilesystem, networkPolicies etc.

  • Clear reporting: Categorizes findings as errors, warnings or info based on severity. Summarizes results at the end.

  • Portable: You can run kubeaudit directly inside the cluster or on your workstation against a kubeconfig file.

  • Full coverage: Scans multiple resource types like pods, deployments, daemonsets, across all namespaces.

Kubeaudit serves as a quick validator to ensure new changes comply with Kubernetes security guidelines endorsed by the community. It‘s easy enough to integrate into pre-production pipelines.

8. Kubesec

Kubesec focuses on identifying misconfigurations in Kubernetes manifest files before you deploy them. Some key aspects:

  • Pre-deployment scanning: Helps developers scan YAML files containing Kubernetes resources for security risks.

  • Least privilege checks: Validates settings like assigned capabilities, host mounts, privilege escalation paths etc.

  • Image vulnerabilities: Can scan container images used in manifests for CVEs.

  • CI/CD integration: Provides integrations with Kubernetes CI/CD pipelines to automate scanning.

  • Fix left shifts: By scanning left-shifted YAML, you reduce security debt accumulation over time.

I highly recommend using Kubesec to eliminate insecure Kubernetes configurations early before they reach running clusters. It instills secure configuration hygiene right from development.

Key Capabilities to Look For

Based on my experience, here are some key capabilities to evaluate when selecting a Kubernetes scanner:

  • Comprehensive risk coverage: Look for scanners that check configurations, network, images, IAM, runtime, supply chain etc. holistically.

  • CI/CD integrations: Scanning earlier in the pipeline prevents more risk.

  • Actionable reporting: Clear presentation of findings, risk ranking, and remediation advice.

  • Customizable: Tuning scan scope, frequency, depth based on your risk appetite.

  • DevSecOps Native: Frictionless for developers to use and fast enough to not bottleneck pipelines.

  • Benchmarking: Checks against industry standards like CIS helps drive security maturity.

  • Kubernetes expertise: Specialized focus on Kubernetes versus generic tools. Looks for CNCF involvement.

The Verdict

Here‘s my concluding advice based on securing many Kubernetes clusters:

Start by establishing a security baseline – Run multiple scanners like kube-hunter, kube-bench, kubei etc. to unveil gaps across different focus areas.

Enable continuous visibility – Monitor clusters at runtime using tools like kubei that provide 24×7 surveillance.

Shift security left – Break the build when infrastructure as code contains risks by using scanners like checkov early in CI/CD.

Drive cultural change – Over time, instill secure Kubernetes development practices. Scanners prove their value and become trusted advisors.

Level up gradually – Use benchmarking tools like kube-bench to define and implement graduated security milestones.

With the right scanning strategy, you can make Kubernetes extremely secure. The wide range of open source scanners discussed here empower you to implement robust Kubernetes security step-by-step.

I hope you found my analysis and recommendations useful. Let me know if you have any other questions! I‘m always happy to discuss Kubernetes security best practices.


Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.