Kubeaudit can now be used as both a command line tool (CLI) and as a Go package!
kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
- run as non-root
- use a read-only root filesystem
- drop scary capabilities, don’t add new ones
- don’t run privileged
- and more!
kubeaudit makes sure you deploy secure containers!
To use kubeaudit as a Go package, see the package docs.
The rest of this README will focus on how to use kubeaudit as a command line tool.
Command Line Interface (CLI)
brew install kubeaudit
Download a binary
Kubeaudit has official releases that are blessed and stable: Official releases
Master may have newer features than the stable releases. If you need a newer feature not yet included in a release, make sure you’re using Go 1.16+ and run the following:
go get -v github.com/Shopify/kubeaudit
Prerequisite: kubectl v1.12.0 or later
With kubectl v1.12.0 introducing easy pluggability of external functions, kubeaudit can be invoked as
kubectl audit by
make pluginand having
$GOPATH/binavailable in your path.
- renaming the binary to
kubectl-auditand having it available in your path.
kubeaudit has three modes:
- Manifest mode
- Local mode
- Cluster mode
If a Kubernetes manifest file is provided using the
-f/--manifest flag, kubeaudit will audit the manifest file.
kubeaudit all -f "/path/to/manifest.yml"
$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml" ---------------- Results for --------------- apiVersion: apps/v1 kind: Deployment metadata: name: deployment namespace: deployment-apps-v1 -------------------------------------------- -- [error] AppArmorAnnotationMissing Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added. Metadata: Container: container MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container -- [error] AutomountServiceAccountTokenTrueAndDefaultSA Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. -- [error] CapabilityShouldDropAll Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list. Metadata: Container: container Capability: AUDIT_WRITE ...
If no errors with a given minimum severity are found, the following is returned:
All checks completed. 0 high-risk vulnerabilities found
Manifest mode also supports autofixing all security issues using the
kubeaudit autofix -f "/path/to/manifest.yml"
To write the fixed manifest to a new file instead of modifying the source file, use the
kubeaudit autofix -f "/path/to/manifest.yml" -o "/path/to/fixed"
To fix a manifest based on custom rules specified on a kubeaudit config file, use the
kubeaudit autofix -k "/path/to/kubeaudit-config.yml" -f "/path/to/manifest.yml" -o "/path/to/fixed"
Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:
Kubeaudit will try to connect to a cluster using the local kubeconfig file (
$HOME/.kube/config). A different kubeconfig location can be specified using the
kubeaudit all -c "/path/to/config"
For more information on kubernetes config files, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
Kubeaudit produces results with three levels of severity:
Error: A security issue or invalid kubernetes configuration
Warning: A best practice recommendation
Info: Informational, no action required. This includes results that are overridden
The minimum severity level can be set using the
By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the
--format json flag. To output results as logs (the previous default) use
If there are results of severity level
error, kubeaudit will exit with exit code 2. This can be changed using the
For all the ways kubeaudit can be customized, see Global Flags.
||Runs all available auditors, or those specified using a kubeaudit config.||docs|
||Automatically fixes security issues.||docs|
||Prints the current kubeaudit version.|
Auditors can also be run individually.
||Finds containers running without AppArmor.||docs|
||Finds pods using an automatically mounted default service account||docs|
||Finds containers that do not drop the recommended capabilities or add new ones.||docs|
||Finds containers that have HostPID, HostIPC or HostNetwork enabled.||docs|
||Finds containers which do not use the desired version of an image (via the tag) or use an image without a tag.||docs|
||Finds containers which exceed the specified CPU and memory limits or do not specify any.||docs|
||Finds containers that have sensitive host paths mounted.||docs|
||Finds namespaces that do not have a default-deny network policy.||docs|
||Finds containers running as root.||docs|
||Finds containers that allow privilege escalation.||docs|
||Finds containers running as privileged.||docs|
||Finds containers which do not have a read-only filesystem.||docs|
||Finds containers running without Seccomp.||docs|
|–format||The output format to use (one of “pretty”, “logrus”, “json”) (default is “pretty”)|
|-c||–kubeconfig||Path to local Kubernetes config file. Only used in local mode (default is
|-f||–manifest||Path to the yaml configuration to audit. Only used in manifest mode.|
|-n||–namespace||Only audit resources in the specified namespace. Not currently supported in manifest mode.|
|-m||–minseverity||Set the lowest severity level to report (one of “error”, “warning”, “info”) (default “info”)|
|-e||–exitcode||Exit code to use if there are results with severity of “error”. Conventionally, 0 is used for success and all non-zero codes for an error. (default 2)|
The kubeaudit config can be used for two things:
- Enabling only some auditors
- Specifying configuration for auditors
Any configuration that can be specified using flags for the individual auditors can be represented using the config.
The config has the following format:
enabledAuditors: # Auditors are enabled by default if they are not explicitly set to "false" apparmor: false asat: false capabilities: true hostns: true image: true limits: true mounts: true netpols: true nonroot: true privesc: true privileged: true rootfs: true seccomp: true auditors: capabilities: # add capabilities needed to the add list, so kubeaudit won't report errors allowAddList: ['AUDIT_WRITE', 'CHOWN'] image: # If no image is specified and the 'image' auditor is enabled, WARN results # will be generated for containers which use an image without a tag image: 'myimage:mytag' limits: # If no limits are specified and the 'limits' auditor is enabled, WARN results # will be generated for containers which have no cpu or memory limits specified cpu: '750m' memory: '500m'
For more details about each auditor, including a description of the auditor-specific configuration in the config, see the Auditor Docs.
Note: The kubeaudit config is not the same as the kubeconfig file specified with the
-c/--kubeconfig flag, which refers to the Kubernetes config file (see Local Mode). Also note that only the
autofix commands support using a kubeaudit config. It will not work with other commands.
Note: If flags are used in combination with the config file, flags will take precedence.
Security issues can be ignored for specific containers or pods by adding override labels. This means the auditor will produce
info results instead of
error results and the audit result name will have
Allowed appended to it. The labels are documented in each auditor’s documentation, but the general format for auditors that support overrides is as follows:
An override label consists of a
key and a
key is a combination of the override type (container or pod) and an
override identifier which is unique to each auditor (see the docs for the specific auditor). The
key can take one of two forms depending on the override type:
- Container overrides, which override the auditor for that specific container, are formatted as follows:
container.audit.kubernetes.io/[container name].[override identifier]
- Pod overrides, which override the auditor for all containers within the pod, are formatted as follows:
value is set to a non-empty string, it will be displayed in the
info result as the
$ kubeaudit asat -f "auditors/asat/fixtures/service-account-token-true-allowed.yml" ---------------- Results for --------------- apiVersion: v1 kind: ReplicationController metadata: name: replicationcontroller namespace: service-account-token-true-allowed -------------------------------------------- -- [info] AutomountServiceAccountTokenTrueAndDefaultSAAllowed Message: Audit result overridden: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used. Metadata: OverrideReason: SomeReason
As per Kubernetes spec,
value must be 63 characters or less and must be empty or begin and end with an alphanumeric character (
[a-z0-9A-Z]) with dashes (
-), underscores (
_), dots (
.), and alphanumerics between.
Multiple override labels (for multiple auditors) can be added to the same resource.
See the specific auditor docs for the auditor you wish to override for examples.
To learn more about labels, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
If you’d like to fix a bug, contribute a feature or just correct a typo, please feel free to do so as long as you follow our Code of Conduct.
- Create your own fork!
- Get the source:
go get github.com/Shopify/kubeaudit
- Go to the source:
- Add your forked repo as a fork:
git remote add fork https://github.com/you-are-awesome/kubeaudit
- Create your feature branch:
git checkout -b awesome-new-feature
- Install Kind
- Run the tests to see everything is working as expected:
make test(to run tests without Kind:
USE_KIND=false make test)
- Commit your changes:
git commit -am 'Adds awesome feature'
- Push to the branch:
git push fork
- Sign the Contributor License Agreement
- Submit a PR (All PR must be labeled with
(Documentation update), or
(Breaking changes) )
Note that if you didn’t sign the CLA before opening your PR, you can re-run the check by adding a comment to the PR that says “I’ve signed the CLA!”!