OWASP KubeLight

KubeLight Logo

KubeLight - Kubernetes Security Scanner

It scans K8s cluster for misconfiguration, runtime issues, and compliance (NSA/CISA, CIS, PCI, SOC2) violations. It also checks for node postures and hardening. It has default scan rules and we can write custom rules. We can get the reports on Slack and Elasticsearch.

It is built around a NoSQL-style query engine, hence it is very lightweight, and the core engine is written in pure python.

Kubernetes Security and Compliance Rules

K001: ServiceAccount token mounting

Pod having ServiceAccount token mounted, when get compromised can lead to privilege escalation. automountServiceAccountToken need to be set explicitly to false.

  • Severity: Medium
  • Rule: Pod=~(Spec.automountServiceAccountToken.exists()) | (Spec.automountServiceAccountToken == True)
  • Remediation: Set automountServiceAccountToken to false for ServiceAccount and Workloads.
  • Tags: CIS-5.1.6     checker


Awesome Articles on Kubernetes Security

Frequently Asked Questions

What is KubeLight?