Kubernetes has become the de facto standard for container orchestration, but with great power comes great responsibility—especially when it comes to security. As clusters grow in complexity and scale, security vulnerabilities can expose your entire infrastructure to potential threats. In this comprehensive guide, we’ll explore the top 10 Kubernetes security tools that will help you build, deploy, and maintain secure containerized applications.
Why Kubernetes Security Matters
Before diving into the tools, let’s understand the security challenges:
graph TB
A[Kubernetes Security Challenges] --> B[Misconfigured RBAC]
A --> C[Vulnerable Container Images]
A --> D[Network Policy Gaps]
A --> E[Runtime Threats]
A --> F[Supply Chain Attacks]
A --> G[Secret Management]
A --> H[Compliance Violations]
style A fill:#ff6b6b
style B fill:#ffd93d
style C fill:#ffd93d
style D fill:#ffd93d
style E fill:#ffd93d
style F fill:#ffd93d
style G fill:#ffd93d
style H fill:#ffd93dAccording to recent reports, over 90% of organizations have experienced at least one security incident in their Kubernetes environments. Let’s explore the tools that can help prevent these incidents.
1. Falco: Runtime Security and Threat Detection
Overview
Falco is a cloud-native runtime security tool that detects unexpected application behavior and alerts on threats at runtime. Originally created by Sysdig, it’s now a CNCF incubating project.
Key Features
- Real-time threat detection
- Deep kernel-level visibility using eBPF
- Custom rules engine
- Integration with Kubernetes audit logs
How It Works
sequenceDiagram
participant K8s as Kubernetes Cluster
participant Falco as Falco Agent
participant Kernel as Linux Kernel
participant Alert as Alert System
K8s->>Kernel: Container Activity
Kernel->>Falco: System Calls (via eBPF)
Falco->>Falco: Match Against Rules
Falco->>Alert: Trigger Alert if Match
Alert->>K8s: Notify/Take ActionPractical Example
Installation:
# Add Falco Helm repository
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# Install Falco
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set falco.grpc.enabled=true \
--set falco.grpcOutput.enabled=true
Custom Rule Example:
# /etc/falco/rules.d/custom_rules.yaml
- rule: Detect Shell in Container
desc: Detect shell execution in a container
condition: >
spawned_process and container and
proc.name in (bash, sh, zsh)
output: >
Shell spawned in container
(user=%user.name container=%container.name
image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
Testing the Rule:
# Create a test pod
kubectl run test-pod --image=nginx
# Exec into the pod (this should trigger Falco)
kubectl exec -it test-pod -- /bin/bash
# Check Falco logs
kubectl logs -n falco -l app.kubernetes.io/name=falco
Real-World Use Case
A financial services company used Falco to detect cryptomining activities in their cluster. When an attacker compromised a web application and deployed a cryptominer, Falco immediately detected the unexpected process execution and network connections, triggering an automated response to isolate the pod.
2. Trivy: Comprehensive Vulnerability Scanner
Overview
Trivy is an all-in-one, easy-to-use vulnerability scanner developed by Aqua Security. It scans container images, filesystems, Git repositories, and Kubernetes clusters for vulnerabilities and misconfigurations.
Key Features
- Multi-target scanning (images, IaC, filesystems, K8s)
- Fast and accurate vulnerability detection
- SBOM generation
- Policy-as-Code support
- CI/CD integration
Scanning Architecture
graph LR
A[Container Image] --> B[Trivy Scanner]
C[Kubernetes YAML] --> B
D[Helm Charts] --> B
E[Terraform Files] --> B
B --> F[Vulnerability Database]
B --> G[Misconfiguration Checks]
B --> H[Secret Detection]
F --> I[Security Report]
G --> I
H --> I
style B fill:#4ecdc4
style I fill:#95e1d3Practical Examples
Scanning a Container Image:
# Scan an image for vulnerabilities
trivy image nginx:latest
# Scan with specific severity
trivy image --severity HIGH,CRITICAL nginx:latest
# Output to JSON
trivy image -f json -o results.json nginx:latest
Scanning Kubernetes Cluster:
# Scan entire cluster
trivy k8s --report summary cluster
# Scan specific namespace
trivy k8s --report all -n production
# Scan with compliance checks
trivy k8s --compliance k8s-cis --report summary
Kubernetes Manifest Scanning:
# Scan a deployment manifest
cat deployment.yaml | trivy config -
# Scan all manifests in a directory
trivy config ./k8s-manifests/
Example Deployment with Trivy in CI/CD:
# .github/workflows/security-scan.yml
name: Container Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
Integration with Kubernetes Admission Control
# trivy-operator-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-operator
namespace: trivy-system
data:
scanJob.podSecurityContext: |
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
compliance.failEntriesLimit: "10"
vulnerabilityReports.scanner: "Trivy"
3. OPA Gatekeeper: Policy Enforcement
Overview
Open Policy Agent (OPA) Gatekeeper brings policy-based control to Kubernetes through admission control. It validates, mutates, and enforces policies on Kubernetes resources.
Key Features
- Policy-as-Code using Rego language
- Kubernetes-native CRDs
- Template library for common policies
- Audit capabilities
- Mutation support
Policy Enforcement Flow
sequenceDiagram
participant User
participant API as K8s API Server
participant GK as Gatekeeper
participant OPA as OPA Engine
User->>API: kubectl apply
API->>GK: Admission Request
GK->>OPA: Evaluate Policy
OPA->>OPA: Check Constraints
OPA->>GK: Policy Decision
alt Policy Violated
GK->>API: Reject Request
API->>User: Error Message
else Policy Compliant
GK->>API: Approve Request
API->>User: Resource Created
endPractical Examples
Installation:
# Install Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
# Verify installation
kubectl get pods -n gatekeeper-system
Example 1: Require Labels Policy
# constraint-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("You must provide labels: %v", [missing])
}
# constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-labels
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment", "StatefulSet"]
namespaces:
- production
parameters:
labels:
- app
- owner
- environment
Example 2: Container Image Registry Policy
# allowed-repos-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
openAPIV3Schema:
type: object
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not starts_with(container.image, input.parameters.repos[_])
msg := sprintf("Container image %v comes from untrusted registry", [container.image])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
not starts_with(container.image, input.parameters.repos[_])
msg := sprintf("Init container image %v comes from untrusted registry", [container.image])
}
# allowed-repos-constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: prod-repo-whitelist
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- production
parameters:
repos:
- gcr.io/mycompany/
- docker.io/mycompany/
- registry.internal.com/
Testing the Policy:
# This should be rejected
kubectl create deployment test --image=nginx:latest -n production
# This should be accepted
kubectl create deployment test --image=gcr.io/mycompany/nginx:latest -n production
4. kube-bench: CIS Benchmark Compliance
Overview
kube-bench is a Go application that checks whether Kubernetes deployments are configured according to security best practices defined in the CIS Kubernetes Benchmark.
Key Features
- Automated CIS benchmark testing
- Supports multiple Kubernetes distributions
- JSON/YAML output formats
- Integrates with compliance frameworks
Security Check Categories
graph TD
A[kube-bench Checks] --> B[Control Plane]
A --> C[Worker Nodes]
A --> D[Policies]
B --> B1[API Server]
B --> B2[Scheduler]
B --> B3[Controller Manager]
B --> B4[etcd]
C --> C1[Kubelet Config]
C --> C2[File Permissions]
C --> C3[Kernel Parameters]
D --> D1[RBAC]
D --> D2[Pod Security]
D --> D3[Network Policies]
style A fill:#6c5ce7
style B fill:#fd79a8
style C fill:#fdcb6e
style D fill:#00b894Practical Examples
Running kube-bench:
# Run as a Job in the cluster
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
# Check the results
kubectl logs -l app=kube-bench
# Run as a container
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro \
aquasec/kube-bench:latest run --targets master,node
Example Output Analysis:
# Save results to JSON
kubectl logs -l app=kube-bench > kube-bench-results.json
# Parse specific failures
cat kube-bench-results.json | jq '.Controls[] | select(.tests[].results[].status == "FAIL")'
Automated Remediation Script:
#!/bin/bash
# remediate-kube-bench.sh
# Fix API server anonymous auth
kubectl patch deployment kube-apiserver \
-n kube-system \
--type json \
-p='[{"op": "add", "path": "/spec/template/spec/containers/0/command/-", "value": "--anonymous-auth=false"}]'
# Fix kubelet read-only port
ansible all -m lineinfile -a "path=/var/lib/kubelet/config.yaml \
regexp='^readOnlyPort:' \
line='readOnlyPort: 0'"
# Fix etcd peer auto TLS
kubectl patch statefulset etcd -n kube-system \
--type json \
-p='[{"op": "add", "path": "/spec/template/spec/containers/0/command/-", "value": "--peer-auto-tls=false"}]'
Integration with GitOps:
# kube-bench-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: kube-bench
namespace: security
spec:
schedule: "0 2 * * *" # Run daily at 2 AM
jobTemplate:
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench"]
args: ["run", "--json"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
5. Kubescape: Kubernetes Security Platform
Overview
Kubescape is an open-source Kubernetes security platform that provides comprehensive security scanning, compliance checking, and risk analysis based on multiple frameworks including NSA-CISA, MITRE ATT&CK, and CIS.
Key Features
- Multi-framework compliance scanning
- Risk scoring and prioritization
- RBAC visualization
- Image vulnerability scanning
- Runtime security monitoring
Security Assessment Framework
graph TB
A[Kubescape Scan] --> B[Configuration Scanning]
A --> C[RBAC Analysis]
A --> D[Image Scanning]
A --> E[Network Policy Check]
B --> F[NSA-CISA Framework]
B --> G[MITRE ATT&CK]
B --> H[CIS Benchmark]
B --> I[DevSecOps Best Practices]
C --> J[Excessive Permissions]
C --> K[Service Account Analysis]
D --> L[Vulnerability Database]
E --> M[Network Segmentation]
F --> N[Risk Score]
G --> N
H --> N
I --> N
J --> N
K --> N
L --> N
M --> N
style A fill:#e74c3c
style N fill:#27ae60Practical Examples
Installation and Basic Scanning:
# Install Kubescape CLI
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
# Scan cluster against NSA-CISA framework
kubescape scan framework nsa
# Scan against CIS benchmark
kubescape scan framework cis-v1.23-t1.0.1
# Scan specific namespace
kubescape scan framework nsa --namespace production
# Get detailed results in JSON
kubescape scan framework nsa --format json --output results.json
Scanning YAML Files Before Deployment:
# Scan deployment manifests
kubescape scan *.yaml
# Scan with specific controls
kubescape scan deployment.yaml --controls "C-0009,C-0017,C-0034"
# Scan with custom exceptions
kubescape scan --exceptions exceptions.json deployment.yaml
Example: Fixing Common Issues Detected by Kubescape
# Before - Insecure Pod (fails multiple controls)
apiVersion: v1
kind: Pod
metadata:
name: insecure-app
spec:
containers:
- name: app
image: myapp:latest
securityContext:
privileged: true
# After - Secure Pod (passes Kubescape checks)
apiVersion: v1
kind: Pod
metadata:
name: secure-app
labels:
app: secure-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
resources:
limits:
cpu: "1"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
Integrating with CI/CD:
# .gitlab-ci.yml
kubescape-scan:
stage: security
image:
name: quay.io/kubescape/kubescape:latest
entrypoint: [""]
script:
- kubescape scan framework nsa *.yaml --format junit --output results.xml
- |
if [ -f results.xml ]; then
SCORE=$(kubescape scan framework nsa *.yaml --format json | jq '.summaryDetails.score')
if (( $(echo "$SCORE < 70" | bc -l) )); then
echo "Security score too low: $SCORE%"
exit 1
fi
fi
artifacts:
reports:
junit: results.xml
when: always
RBAC Visualization Example:
# Generate RBAC visualization
kubescape scan framework rbac-v1.0.0 --format json > rbac-scan.json
# Extract overly permissive roles
cat rbac-scan.json | jq '.resources[] | select(.resourceID | contains("ClusterRole")) | select(.object.rules[].verbs[] == "*")'
6. Kyverno: Kubernetes-native Policy Management
Overview
Kyverno is a policy engine designed specifically for Kubernetes. Unlike OPA, which uses Rego, Kyverno uses YAML for policy definitions, making it more accessible for Kubernetes administrators.
Key Features
- YAML-based policies (no new language to learn)
- Validation, mutation, and generation of resources
- Automatic image verification
- Pod Security Standards enforcement
- CLI for policy testing
Policy Types and Flow
graph LR
A[Kubernetes Resource] --> B{Kyverno Policy Engine}
B --> C[Validate]
B --> D[Mutate]
B --> E[Generate]
B --> F[Verify Images]
C --> G[Allow/Deny]
D --> H[Modified Resource]
E --> I[New Resource]
F --> J[Signature Check]
G --> K[Applied to Cluster]
H --> K
I --> K
J --> K
style B fill:#326ce5
style K fill:#42b983Practical Examples
Installation:
# Install Kyverno using Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# Install Kyverno policies
helm install kyverno-policies kyverno/kyverno-policies -n kyverno
Example 1: Validation Policy – Require Resource Limits
# require-resources.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resources
annotations:
policies.kyverno.io/title: Require Resource Limits
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: >-
Containers must have resource requests and limits defined
to ensure proper scheduling and prevent resource exhaustion.
spec:
validationFailureAction: enforce
background: true
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Pod
validate:
message: "CPU and memory resource requests and limits are required"
pattern:
spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
cpu: "?*"
Example 2: Mutation Policy – Add Security Context
# add-security-context.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-securitycontext
spec:
background: false
rules:
- name: add-securitycontext
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- (name): "*"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
Example 3: Generation Policy – Auto-create NetworkPolicy
# generate-netpol.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-networkpolicy
spec:
rules:
- name: default-deny-ingress
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny-ingress
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
spec:
podSelector: {}
policyTypes:
- Ingress
Example 4: Image Verification Policy
# verify-images.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signature
spec:
validationFailureAction: enforce
background: false
webhookTimeoutSeconds: 30
rules:
- name: verify-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "gcr.io/mycompany/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...
-----END PUBLIC KEY-----
Testing Policies with Kyverno CLI:
# Install Kyverno CLI
kubectl krew install kyverno
# Test a policy against a resource
kyverno apply require-resources.yaml --resource test-pod.yaml
# Test multiple policies
kyverno apply policies/ --resource deployments/
# Generate reports
kyverno apply policy.yaml --resource resource.yaml --policy-report
Practical Testing Example:
# Create a test pod that should fail
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: nginx
image: nginx
EOF
# Expected output: Error from server: admission webhook "validate.kyverno.svc" denied the request
7. Checkov: Infrastructure as Code Security
Overview
Checkov is a static code analysis tool for infrastructure-as-code (IaC). It scans cloud infrastructure configurations to find misconfigurations before they’re deployed.
Key Features
- Supports Kubernetes, Terraform, CloudFormation, Helm, and more
- 1000+ built-in policies
- Custom policy support
- SBOM generation
- Secrets scanning
- License compliance
Scanning Workflow
sequenceDiagram
participant Dev as Developer
participant Git as Git Repository
participant CI as CI/CD Pipeline
participant Checkov
participant Report as Security Dashboard
Dev->>Git: Push IaC Changes
Git->>CI: Trigger Pipeline
CI->>Checkov: Run Security Scan
Checkov->>Checkov: Scan K8s YAML
Checkov->>Checkov: Scan Helm Charts
Checkov->>Checkov: Scan Dockerfiles
Checkov->>Report: Generate Report
alt Security Issues Found
Checkov->>CI: Exit Code 1
CI->>Dev: Pipeline Failed
else No Issues
Checkov->>CI: Exit Code 0
CI->>Dev: Pipeline Passed
endPractical Examples
Installation:
# Install via pip
pip3 install checkov
# Or use Docker
docker pull bridgecrew/checkov
Scanning Kubernetes Manifests:
# Scan a directory of Kubernetes files
checkov -d ./kubernetes-manifests
# Scan specific file
checkov -f deployment.yaml
# Scan with specific framework
checkov -d . --framework kubernetes
# Output to JSON
checkov -d . --framework kubernetes -o json > results.json
# Skip specific checks
checkov -d . --skip-check CKV_K8S_8,CKV_K8S_9
# Only run specific checks
checkov -d . --check CKV_K8S_20,CKV_K8S_21
Example Kubernetes Manifest with Issues:
# Before - Insecure Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 3
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: webapp:latest
ports:
- containerPort: 8080
env:
- name: DB_PASSWORD
value: "supersecret123" # CKV_K8S_35: Secret in env var
Checkov Output:
Check: CKV_K8S_8: "Liveness Probe Should Be Configured"
FAILED for resource: Deployment.default.webapp
File: /deployment.yaml:1-20
Check: CKV_K8S_9: "Readiness Probe Should Be Configured"
FAILED for resource: Deployment.default.webapp
File: /deployment.yaml:1-20
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.webapp
File: /deployment.yaml:1-20
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.webapp
File: /deployment.yaml:1-20
Fixed Version:
# After - Secure Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 3
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: webapp
image: webapp:v1.2.3 # Fixed version tag
ports:
- containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
resources:
limits:
cpu: "1"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
envFrom:
- secretRef:
name: webapp-secrets # Using Secret reference
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
CI/CD Integration Example:
# GitHub Actions
name: IaC Security Scan
on: [push, pull_request]
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: kubernetes,helm,dockerfile
output_format: sarif
output_file_path: results.sarif
soft_fail: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: results.sarif
Custom Policy Example:
# custom_policies/require_pod_disruption_budget.yaml
metadata:
id: "CUSTOM_K8S_1"
name: "Ensure PodDisruptionBudget exists for deployments"
category: "Kubernetes"
definition:
cond_type: "attribute"
resource_types:
- "kubernetes_deployment"
attribute: "metadata.name"
operator: "exists"
8. Sealed Secrets: Secret Management
Overview
Sealed Secrets is a Kubernetes controller and tool for one-way encrypted Secrets. It allows you to store encrypted secrets in Git repositories safely.
Key Features
- Asymmetric encryption
- GitOps-friendly
- Namespace/cluster-wide scopes
- Automatic secret rotation
- Backup and disaster recovery support
Architecture
graph TB
A[Developer] --> B[kubeseal CLI]
B --> C[Public Key]
C --> D[SealedSecret]
D --> E[Git Repository]
E --> F[GitOps Tool]
F --> G[Kubernetes Cluster]
G --> H[Sealed Secrets Controller]
H --> I[Private Key]
I --> J[Decrypted Secret]
J --> K[Pod]
style D fill:#ffd93d
style J fill:#6bcf7f
style H fill:#4a90e2Practical Examples
Installation:
# Install Sealed Secrets controller
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
# Install kubeseal CLI
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
Creating Sealed Secrets:
# Create a regular secret (DON'T commit this!)
kubectl create secret generic db-credentials \
--from-literal=username=admin \
--from-literal=password='SuperSecret123!' \
--dry-run=client -o yaml > secret.yaml
# Seal the secret
kubeseal -f secret.yaml -w sealed-secret.yaml
# Now you can safely commit sealed-secret.yaml to Git
git add sealed-secret.yaml
git commit -m "Add database credentials"
git push
Sealed Secret Example:
# sealed-secret.yaml (Safe to commit to Git)
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-credentials
namespace: production
spec:
encryptedData:
username: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
password: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
template:
metadata:
name: db-credentials
namespace: production
type: Opaque
Using Different Scopes:
# Namespace-wide (default)
kubeseal -f secret.yaml -w sealed-secret.yaml
# Cluster-wide (can be decrypted in any namespace)
kubeseal --scope cluster-wide -f secret.yaml -w sealed-secret.yaml
# Strict (namespace and name must match)
kubeseal --scope strict -f secret.yaml -w sealed-secret.yaml
Secret Rotation:
# Fetch the sealing certificate
kubeseal --fetch-cert > pub-cert.pem
# Use offline sealing
kubeseal --cert=pub-cert.pem -f secret.yaml -w sealed-secret.yaml
# Rotate keys (performed by admin)
kubectl delete secret -n kube-system sealed-secrets-key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
Integration with External Secrets:
# Using with ArgoCD
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
resource.customizations: |
bitnami.com/SealedSecret:
health.lua: |
hs = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Synced" and condition.status == "False" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
end
end
end
hs.status = "Healthy"
hs.message = "Sealed Secret is healthy"
return hs
Backup and Restore:
# Backup the sealing key
kubectl get secret -n kube-system sealed-secrets-key -o yaml > master-key-backup.yaml
# Store securely (e.g., encrypted S3 bucket, vault)
aws s3 cp master-key-backup.yaml s3://backup-bucket/sealed-secrets/ --sse
# Restore in new cluster
kubectl apply -f master-key-backup.yaml
kubectl rollout restart deployment -n kube-system sealed-secrets-controller
9. Sysdig Secure: Runtime Security and Forensics
Overview
Sysdig Secure is a comprehensive container security platform that provides runtime threat detection, forensics, compliance, and vulnerability management.
Key Features
- eBPF-based runtime visibility
- Threat detection and response
- Compliance automation (PCI, HIPAA, SOC2)
- Forensic captures
- Image scanning and SBOM
- Kubernetes audit logging
Security Architecture
graph TB
A[Kubernetes Cluster] --> B[Sysdig Agent DaemonSet]
B --> C[System Calls via eBPF]
B --> D[K8s Audit Events]
B --> E[Container Metadata]
C --> F[Sysdig Backend]
D --> F
E --> F
F --> G[Threat Detection]
F --> H[Compliance Reporting]
F --> I[Forensics]
F --> J[Vulnerability Analysis]
G --> K[Alerts & Responses]
H --> K
I --> K
J --> K
K --> L[Security Team]
K --> M[Automated Remediation]
style F fill:#00b4d8
style K fill:#e63946Practical Examples
Installation:
# Add Sysdig Helm repository
helm repo add sysdig https://charts.sysdig.com
helm repo update
# Install Sysdig agent
helm install sysdig-agent sysdig/sysdig-deploy \
--namespace sysdig-agent \
--create-namespace \
--set global.clusterConfig.name=production-cluster \
--set global.sysdig.accessKey=YOUR_ACCESS_KEY \
--set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
--set global.kspm.deploy=true
Custom Runtime Policy Example:
# runtime-policy.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-runtime-policies
namespace: sysdig-agent
data:
policies: |
- name: Detect Cryptocurrency Mining
description: Alert on cryptocurrency mining activity
enabled: true
actions:
- type: POLICY_ACTION_CAPTURE
duration: 60
rules:
- rule: Cryptocurrency Mining Activity
condition: >
spawned_process and
(proc.name in (xmrig, ethminer, ccminer) or
proc.cmdline contains "stratum+tcp")
output: >
Cryptocurrency mining detected
(user=%user.name container=%container.name
command=%proc.cmdline)
priority: CRITICAL
tags: [cryptocurrency, runtime]
- name: Detect Reverse Shell
description: Alert on reverse shell attempts
enabled: true
actions:
- type: POLICY_ACTION_KILL
- type: POLICY_ACTION_CAPTURE
duration: 120
rules:
- rule: Reverse Shell Detected
condition: >
spawned_process and
((proc.name = "bash" or proc.name = "sh") and
(proc.args contains "-i" or proc.args contains "/dev/tcp"))
output: >
Reverse shell attempt detected
(user=%user.name container=%container.name
command=%proc.cmdline)
priority: EMERGENCY
tags: [attack, reverse-shell]
Compliance Scanning:
# Check PCI DSS compliance
kubectl exec -n sysdig-agent <agent-pod> -- \
sysdig-cli-scanner --compliance-framework PCI
# Check CIS Kubernetes Benchmark
kubectl exec -n sysdig-agent <agent-pod> -- \
sysdig-cli-scanner --compliance-framework CIS-Kubernetes
# Export compliance report
kubectl exec -n sysdig-agent <agent-pod> -- \
sysdig-cli-scanner --compliance-framework SOC2 --format json > compliance-report.json
Forensic Capture:
# capture-policy.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: capture-policies
namespace: sysdig-agent
data:
captures: |
- name: Capture on Suspicious Activity
filter: >
evt.type in (execve, open, connect) and
container.name contains "payment-service"
duration: 300
output:
bucket: s3://forensics-bucket/captures/
format: scap
Integration with Kubernetes Admission Controller:
# admission-controller.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-admission-controller
namespace: sysdig-admission-controller
data:
config.yaml: |
features:
k8sAuditDetections: true
kspmAdmissionController: true
policies:
- name: Block High Severity Vulnerabilities
enabled: true
rules:
- type: vulnerability
action: reject
parameters:
severity: high,critical
maxAge: 90
- name: Block Privileged Containers
enabled: true
rules:
- type: pod_security
action: reject
parameters:
checks:
- name: privileged
value: false
- name: hostPID
value: false
- name: hostNetwork
value: false
10. Snyk Container: Developer-First Security
Overview
Snyk Container is a developer-friendly container security tool that integrates vulnerability scanning into the development workflow, from IDE to production.
Key Features
- Developer-focused UI/UX
- Base image recommendations
- Automated fix PRs
- Kubernetes configuration scanning
- IDE and CI/CD integrations
- License compliance
Developer Workflow Integration
sequenceDiagram
participant Dev as Developer
participant IDE as IDE/Editor
participant Git as Git Repository
participant CI as CI/CD
participant Snyk as Snyk Platform
participant K8s as Kubernetes
Dev->>IDE: Write Code
IDE->>Snyk: Scan Dependencies
Snyk->>IDE: Show Vulnerabilities
Dev->>Git: Commit & Push
Git->>CI: Trigger Pipeline
CI->>Snyk: Scan Image
alt Vulnerabilities Found
Snyk->>CI: Create Fix PR
Snyk->>Dev: Notify Developer
else No Issues
CI->>K8s: Deploy
K8s->>Snyk: Monitor Runtime
endPractical Examples
Installation and Setup:
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Or use Docker
docker run -it snyk/snyk:docker auth
Scanning Container Images:
# Scan a local Docker image
snyk container test nginx:latest
# Scan with JSON output
snyk container test nginx:latest --json > results.json
# Scan and monitor
snyk container monitor nginx:latest
# Get base image recommendations
snyk container test nginx:latest --print-deps --json | \
jq '.baseImage.recommendations'
Dockerfile Scanning:
# Scan Dockerfile
snyk container test --file=Dockerfile nginx:latest
# Get actionable advice
snyk container test --file=Dockerfile nginx:latest --sarif-file-output=results.sarif
Example Dockerfile with Issues:
# Before - Vulnerable Dockerfile
FROM node:14
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
USER root
CMD ["node", "server.js"]
Snyk Recommendations:
$ snyk container test --file=Dockerfile myapp:latest
✗ High severity vulnerability found in node
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-DEBIAN11-NODE-3023456
Introduced through: node@14.17.0
Fixed in: 14.21.3
✗ Recommendations:
1. Upgrade base image from node:14 to node:20-alpine
2. Run as non-root user
3. Use multi-stage builds to reduce attack surface
Fixed Dockerfile:
# After - Secure Dockerfile
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY . .
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001 && \
chown -R nodejs:nodejs /app
USER nodejs
EXPOSE 3000
CMD ["node", "server.js"]
CI/CD Integration (GitHub Actions):
# .github/workflows/snyk-security.yml
name: Snyk Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Snyk to check Docker image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: myapp:${{ github.sha }}
args: --file=Dockerfile --severity-threshold=high
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
Kubernetes Manifest Scanning:
# Scan Kubernetes YAML files
snyk iac test deployment.yaml
# Scan entire directory
snyk iac test ./k8s-manifests/
# Generate HTML report
snyk iac test deployment.yaml --report --html > security-report.html
Automated Fix Pull Requests:
# .snyk policy file
version: v1.25.0
ignore: {}
patch: {}
language-settings:
python: '3.9'
# Snyk will automatically create PRs to:
# 1. Upgrade base images
# 2. Fix package vulnerabilities
# 3. Update Kubernetes configurations
Monitoring Production:
# Import Kubernetes workloads
snyk container monitor k8s:deployment/myapp --namespace=production
# View monitored images
snyk container monitor --org=my-org
# Set up alerts
snyk config set api=$SNYK_TOKEN
snyk monitor --project-name=production-app
Comparative Analysis
Here’s a quick comparison to help you choose the right tools:
| Tool | Primary Focus | Best For | Learning Curve | Cost |
|---|---|---|---|---|
| Falco | Runtime Detection | Real-time threat detection | Medium | Free (OSS) |
| Trivy | Vulnerability Scanning | CI/CD integration | Low | Free (OSS) |
| OPA Gatekeeper | Policy Enforcement | Complex policy requirements | High | Free (OSS) |
| kube-bench | CIS Compliance | Compliance audits | Low | Free (OSS) |
| Kubescape | Multi-framework Assessment | Comprehensive security posture | Medium | Free (OSS) |
| Kyverno | Policy Management | Kubernetes-native policies | Low | Free (OSS) |
| Checkov | IaC Security | Pre-deployment scanning | Low | Free + Paid |
| Sealed Secrets | Secret Management | GitOps workflows | Low | Free (OSS) |
| Sysdig | Runtime + Compliance | Enterprise security platform | Medium | Paid |
| Snyk | Developer Security | Developer workflow integration | Low | Free + Paid |
Implementation Strategy
graph TB
A[Security Implementation Strategy] --> B[Phase 1: Foundation]
A --> C[Phase 2: Enforcement]
A --> D[Phase 3: Detection]
A --> E[Phase 4: Response]
B --> B1[Trivy for image scanning]
B --> B2[kube-bench for compliance]
B --> B3[Checkov for IaC]
C --> C1[Kyverno/OPA for policies]
C --> C2[Sealed Secrets for secret mgmt]
D --> D1[Falco for runtime detection]
D --> D2[Kubescape for continuous assessment]
E --> E1[Sysdig for forensics]
E --> E2[Automated remediation]
style A fill:#e74c3c
style B fill:#3498db
style C fill:#f39c12
style D fill:#e67e22
style E fill:#27ae60Recommended Implementation Order
- Start with Prevention (Week 1-2)
- Deploy Trivy for container scanning
- Implement Checkov in CI/CD pipelines
- Run kube-bench for initial assessment
- Add Policy Enforcement (Week 3-4)
- Deploy Kyverno or OPA Gatekeeper
- Implement baseline security policies
- Set up Sealed Secrets for secret management
- Enable Runtime Detection (Week 5-6)
- Deploy Falco for threat detection
- Configure custom rules based on your environment
- Set up alerting and incident response
- Continuous Assessment (Week 7-8)
- Deploy Kubescape for ongoing compliance
- Integrate with existing monitoring
- Establish security metrics and KPIs
Best Practices
1. Layered Security
Don’t rely on a single tool. Use multiple tools in combination for defense in depth.
2. Shift Left
Integrate security early in the development process:
- Scan code and images before build
- Validate manifests before deployment
- Test policies in development clusters
3. Automate Everything
# Example automation workflow
apiVersion: v1
kind: ConfigMap
metadata:
name: security-automation
data:
pipeline: |
1. Developer commits code
2. Checkov scans IaC
3. Trivy scans container image
4. Kyverno validates against policies
5. Deploy to cluster
6. Falco monitors runtime
7. Kubescape runs compliance checks
8. Generate security report
4. Regular Updates
- Keep security tools updated
- Review and update policies quarterly
- Stay informed about new CVEs
5. Least Privilege
- Use RBAC effectively
- Limit service account permissions
- Implement Pod Security Standards
Conclusion
Kubernetes security requires a multi-layered approach combining prevention, detection, and response capabilities. The tools covered in this guide provide comprehensive coverage across the entire security lifecycle:
- Prevention: Trivy, Checkov, kube-bench
- Enforcement: OPA Gatekeeper, Kyverno, Sealed Secrets
- Detection: Falco, Kubescape, Sysdig
- Developer Integration: Snyk
Start with the open-source tools that match your immediate needs, then expand your security toolkit as your Kubernetes adoption matures. Remember, security is not a one-time implementation but an ongoing process that requires continuous attention and improvement.
Getting Started Checklist
- [ ] Run kube-bench to assess current security posture
- [ ] Integrate Trivy into CI/CD pipeline
- [ ] Deploy Kyverno or OPA Gatekeeper
- [ ] Implement Sealed Secrets for secret management
- [ ] Deploy Falco for runtime monitoring
- [ ] Schedule regular Kubescape scans
- [ ] Set up security alerting and incident response
- [ ] Document your security policies and procedures
- [ ] Train team on security tools and best practices
- [ ] Establish security metrics and reporting
About the Author: This article is part of the Collabnix community initiative to make Kubernetes security accessible and practical for DevOps engineers worldwide.
Join the Community: Connect with us on Collabnix Slack to discuss Kubernetes security, share experiences, and learn from fellow practitioners.
Stay Updated: Follow @ajeetraina for more DevOps and Kubernetes content.
