Scans Kubernetes manifests with Kubesec for security risks like privilege escalation, misconfigurations, excessive capabilities, and host mounts. Use for pre-deployment or CI/CD checks.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Kubesec 是由 ControlPlane 开发的开源安全风险分析工具,用于检查 Kubernetes 资源清单中常见的可利用风险,如权限提升(Privilege Escalation)、可写宿主机挂载和过多能力赋予。它为每个资源分配数值安全评分,并提供可操作的加固建议。Kubesec 可作为 CLI 二进制、Docker 容器、kubectl 插件、准入 Webhook 或 REST API 端点使用。
Scans Kubernetes manifests with Kubesec for security risks including misconfigurations, privilege escalation, excessive capabilities, and missing controls.
Scans Kubernetes manifests using Kubesec for security risks including misconfigurations, privilege escalation, and best practice deviations. Useful for DevSecOps audits, CI/CD pipelines, and cluster hardening.
Provides Kubernetes security best practices for pod security contexts, network policies, RBAC, secrets management, and resource limits. Use when securing K8s deployments.
Share bugs, ideas, or general feedback.
Kubesec 是由 ControlPlane 开发的开源安全风险分析工具,用于检查 Kubernetes 资源清单中常见的可利用风险,如权限提升(Privilege Escalation)、可写宿主机挂载和过多能力赋予。它为每个资源分配数值安全评分,并提供可操作的加固建议。Kubesec 可作为 CLI 二进制、Docker 容器、kubectl 插件、准入 Webhook 或 REST API 端点使用。
Kubesec 根据安全检查为每个 Kubernetes 资源分配评分:
# Linux/macOS
curl -sSL https://github.com/controlplaneio/kubesec/releases/latest/download/kubesec_linux_amd64.tar.gz | \
tar xz -C /usr/local/bin/ kubesec
# 验证安装
kubesec version
docker pull kubesec/kubesec:v2
# 扫描清单文件
docker run -i kubesec/kubesec:v2 scan /dev/stdin < deployment.yaml
kubectl krew install kubesec-scan
kubectl kubesec-scan pod mypod -n default
# 扫描 deployment 清单
kubesec scan deployment.yaml
# 以 JSON 格式输出
kubesec scan -o json deployment.yaml
# 从标准输入扫描
cat pod.yaml | kubesec scan -
[
{
"object": "Pod/web-app.default",
"valid": true,
"fileName": "pod.yaml",
"message": "Passed with a score of 3 points",
"score": 3,
"scoring": {
"passed": [
{
"id": "ReadOnlyRootFilesystem",
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "不可变根文件系统可防止应用向本地磁盘写入",
"points": 1
},
{
"id": "RunAsNonRoot",
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "强制运行的镜像以非 root 用户运行",
"points": 1
},
{
"id": "LimitsCPU",
"selector": "containers[] .resources .limits .cpu",
"reason": "强制 CPU 限制可防止通过资源耗尽实施 DoS 攻击",
"points": 1
}
],
"advise": [
{
"id": "ApparmorAny",
"selector": "metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "定义良好的 AppArmor 策略可减少容器攻击面",
"points": 3
},
{
"id": "ServiceAccountName",
"selector": ".spec .serviceAccountName",
"reason": "服务账户限制 Kubernetes API 访问,应进行配置",
"points": 3
}
]
}
}
]
# 扫描目录中所有 YAML 文件
for file in manifests/*.yaml; do
echo "=== 扫描 $file ==="
kubesec scan "$file"
done
# 扫描多文档 YAML
kubesec scan multi-resource.yaml
# 通过公共 API 扫描
curl -sSX POST --data-binary @deployment.yaml \
https://v2.kubesec.io/scan
# 运行本地 API 服务器
kubesec http --port 8080 &
# 对本地服务器扫描
curl -sSX POST --data-binary @deployment.yaml \
http://localhost:8080/scan
name: Kubesec 扫描
on: [pull_request]
jobs:
kubesec:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 Kubesec
run: |
curl -sSL https://github.com/controlplaneio/kubesec/releases/latest/download/kubesec_linux_amd64.tar.gz | \
tar xz -C /usr/local/bin/ kubesec
- name: 扫描清单
run: |
FAIL=0
for file in k8s/*.yaml; do
SCORE=$(kubesec scan "$file" | jq '.[0].score')
echo "$file: score=$SCORE"
if [ "$SCORE" -lt 0 ]; then
echo "FAIL: $file 存在严重问题(评分:$SCORE)"
FAIL=1
fi
done
exit $FAIL
kubesec-scan:
stage: security
image: kubesec/kubesec:v2
script:
- |
for file in k8s/*.yaml; do
kubesec scan "$file" > /tmp/result.json
SCORE=$(cat /tmp/result.json | jq '.[0].score')
if [ "$SCORE" -lt 0 ]; then
echo "严重:$file 评分 $SCORE"
cat /tmp/result.json | jq '.[0].scoring.critical'
exit 1
fi
done
artifacts:
paths:
- kubesec-results/
将 Kubesec 部署为 ValidatingWebhookConfiguration,在部署时拒绝不安全的清单:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: kubesec-webhook
webhooks:
- name: kubesec.controlplane.io
rules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments", "daemonsets", "statefulsets"]
clientConfig:
service:
name: kubesec-webhook
namespace: kube-system
path: /scan
failurePolicy: Fail
sideEffects: None
admissionReviewVersions: ["v1"]
| 检查项 | 选择器 | 风险 |
|---|---|---|
| 特权模式 | securityContext.privileged == true | 完整宿主机访问 |
| HostPID | spec.hostPID == true | 进程命名空间逃逸 |
| HostNetwork | spec.hostNetwork == true | 网络命名空间逃逸 |
| SYS_ADMIN | capabilities.add contains SYS_ADMIN | 接近 root 的能力 |
| 检查项 | 分值 | 描述 |
|---|---|---|
| ReadOnlyRootFilesystem | +1 | 防止文件系统写入 |
| RunAsNonRoot | +1 | 非 root 进程执行 |
| RunAsUser > 10000 | +1 | 高 UID 降低冲突风险 |
| LimitsCPU | +1 | 防止 CPU 资源耗尽 |
| LimitsMemory | +1 | 防止内存资源耗尽 |
| RequestsCPU | +1 | 确保调度器资源感知 |
| ServiceAccountName | +3 | 显式服务账户 |
| AppArmor 注解 | +3 | 内核级 MAC 执行 |
| Seccomp 配置文件 | +4 | 系统调用过滤 |