K8SSECURITY
Presentation Material
Abstract
This is a comprehensive security scanning tool for Kubernetes clusters that identifies security issues, misconfigurations, and potential vulnerabilities. I built this tool while i was studying for CKS and i have found it really useful for real world workloads. It has the following features.
1 . Cluster Setup and Hardening Locks down the foundation: CIS‑aligned configs, safe admission plugs, tight RBAC, and restrictive network policies.
CIS Benchmark Checker – drift & remediation
Admission Controller Checker – PSP/PSA, webhooks
RBAC Checker – wild‑card verbs, risky bindings
Network Policy Checker – open namespaces, default‑allow rules
2 . System Hardening Fortifies nodes and runtimes—kernel params, kubelet flags, containerd/Docker, and gVisor isolation.
Node Security Checker – OS & kubelet hygiene
Runtime Security Checker – seccomp, AppArmor, privilege creep
gVisor Checker – runtime‑class wiring, sandbox health
3 . Minimize Microservice Vulnerabilities Applies least‑privilege to pods: security contexts, resource limits, PDBs, and secrets hygiene.
Container Security Checker – capabilities, limits, image trust
Pod Security Checker – priority/QoS, disruption budgets
Secrets Management Checker – encryption, rotation, exposure
4 . Supply Chain Security Admits only trusted code via image signatures, SBOM validation, and CVE detection.
Image Security Checker – signatures, vuln scan, registry posture
SBOM Checker – dependency CVEs, license red flags
5 . Runtime Security Maintains live visibility with audit pipelines and Falco rules for instant threat detection.
Audit Checker – policy coverage, backend integrity
Falco Checker – rule quality, alert wiring, violation monitoring
AI Generated Summary
The talk presented a practical methodology for deploying and utilizing an open-source Kubernetes security scanner. The core approach involved first deploying an intentionally vulnerable Kubernetes cluster using kind and provided configurations. This cluster served as a test environment to demonstrate the scanner’s capabilities.
The scanner itself is a custom tool that orchestrates several existing security tools to perform a comprehensive assessment. Key integrated tools and checks included: cubebench for CIS benchmark compliance; trivy and cube-sec for container image vulnerability scanning and security context validation (e.g., privileged containers, root user execution); falco and gvisor for runtime threat detection; and sift with grype for Software Bill of Materials (SBoM) analysis to identify vulnerable packages. The scanner aggregates findings into a categorized report, classifying issues by severity (critical, high) and domain (e.g., cluster hardening, supply chain, system hardening).
The demonstration followed a fixed workflow: after setting up prerequisites (Docker, kubectl, kind), the presenter launched the vulnerable cluster, executed a scan, and identified specific misconfigurations such as containers running in privileged mode. The talk then showed the remediation process—modifying deployment configurations to remove privilege—and reran the scan to verify the issue’s resolution from the report. The tool requires only read-only cluster access to list pods and services.
Practical implications include a repeatable, hands-on process for security validation in Kubernetes environments. The scanner provides a unified report from multiple specialized tools, allowing teams to prioritize fixes for critical misconfigurations and vulnerabilities. The presenter noted future feature additions could expand the check suite. The primary takeaway is a deployable framework for continuous security assessment of Kubernetes clusters by combining established tools into an automated scanning and remediation verification pipeline.