KubeLight Logo

KubeLight - Kubernetes Security Scanner

It scans K8s cluster for misconfiguration, runtime issues, and compliance (NSA/CISA, CIS, PCI, SOC2) violations. It also checks for node postures and hardening. It has default scan rules and we can write custom rules. We can get the reports on Slack and Elasticsearch.

It is built around a NoSQL-style query engine, hence it is very lightweight, and the core engine is written in pure python.

Kubernetes Security and Compliance Rules

K001: ServiceAccount token mounting

Pod having ServiceAccount token mounted, when get compromised can lead to privilege escalation. automountServiceAccountToken need to be set explicitly to false.

Severity: Medium
Rule: Pod=~(Spec.automountServiceAccountToken.exists()) | (Spec.automountServiceAccountToken == True)
Remediation: Set automountServiceAccountToken to false for ServiceAccount and Workloads.
Tags: CIS-5.1.6 checker

OWASP KubeLight

KubeLight - Kubernetes Security Scanner

Kubernetes Security and Compliance Rules

K001: ServiceAccount token mounting

K002:

Awesome Articles on Kubernetes Security

Frequently Asked Questions

What is KubeLight?

Kubelight : A K8s Security Tool

Code Repository

Change Log

Licnse

Leaders

Upcoming OWASP Global Events

OWASP KubeLight

KubeLight - Kubernetes Security Scanner

Kubernetes Security and Compliance Rules

K001: ServiceAccount token mounting

K002:

Awesome Articles on Kubernetes Security

Frequently Asked Questions

What is KubeLight?

Kubelight : A K8s Security Tool

Downloads or Social Links

Code Repository

Change Log

Licnse

Leaders

Upcoming OWASP Global Events