K8s Security Scanner
Scan Kubernetes YAML manifests for security vulnerabilities like privileged containers and secrets exposure
Enter your Kubernetes YAML manifest to scan for security vulnerabilities and misconfigurations
Scanning Kubernetes Manifests for Security Vulnerabilities
Kubernetes provides powerful abstractions for deploying containerized workloads, but its default configurations are often insecure by design — favoring operational flexibility over security hardening. Containers run as root by default, host namespaces are accessible without restriction, and sensitive data can be stored in plaintext ConfigMaps. The Security Scanner analyzes your YAML manifests to detect security misconfigurations that could allow container escapes, privilege escalation, sensitive data exposure, or lateral movement within your cluster.
Each finding is classified by severity and mapped to relevant security benchmarks (CIS Kubernetes Benchmark, Pod Security Standards). The scanner provides specific remediation guidance showing exactly which fields to add or modify in your manifests to harden security posture. All analysis happens locally in your browser — your sensitive infrastructure definitions never leave your device.
Privileged Containers and Capability Misuse
The most critical Kubernetes security misconfigurations involve excessive container privileges:
-
Privileged mode:
securityContext.privileged: truegives the container full access to host devices and kernel capabilities — equivalent to running as root on the host machine. A container escape in privileged mode compromises the entire node. -
Dangerous capabilities: Linux capabilities like
SYS_ADMIN,NET_ADMIN, andSYS_PTRACEgrant specific kernel-level powers. Many are unnecessary for application workloads and should be dropped explicitly. -
Running as root: Containers without
runAsNonRoot: trueorrunAsUserrun their processes as UID 0. If an attacker gains code execution, they have root privileges within the container and can attempt privilege escalation. -
Writable root filesystem: Without
readOnlyRootFilesystem: true, attackers can write malicious scripts, modify binaries, or install toolkits within the container.
The scanner detects all privilege-related misconfigurations and recommends the minimal security context needed for each container type.
Host Namespace Sharing and Volume Risks
Kubernetes allows pods to share host namespaces and mount host directories, creating attack paths that bypass container isolation:
- hostPID/hostIPC: Sharing the host's process or IPC namespace lets containers see and signal all processes on the node, enabling process injection attacks.
- hostNetwork: Sharing the host network namespace bypasses network policies and exposes all host ports to the container, including kubelet and API server ports.
-
hostPath volumes: Mounting host directories like
/,/etc, or/var/run/docker.sockgives containers direct access to node filesystems and container runtimes. -
Docker socket mount: Mounting
/var/run/docker.sockallows containers to create sibling containers on the host — a common privilege escalation vector.
These configurations are occasionally legitimate (for node monitoring agents or log collectors) but must be explicitly justified and paired with additional security controls.
Secrets Management and Data Exposure
The scanner detects improper handling of sensitive data in Kubernetes manifests:
- Plaintext secrets in ConfigMaps: Storing passwords, API keys, or tokens in ConfigMap data rather than Secret resources — ConfigMaps are not encrypted at rest.
-
Hardcoded credentials in environment variables: Embedding secrets directly
in pod specs rather than referencing Secret resources, making them visible in
kubectl describeoutput and audit logs. - Overly broad Secret mounting: Mounting entire Secrets as volumes when only one key is needed, exposing additional sensitive data to the container unnecessarily.
- Missing encryption at rest: While detected at the cluster level, the scanner flags patterns that indicate secrets may not be properly managed.
Code Examples
Insecure Manifest vs Hardened Version
# INSECURE: Multiple security issues
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-server
spec:
template:
spec:
hostNetwork: true # Bypasses network policies
containers:
- name: api
image: myapp:latest
securityContext:
privileged: true # Full host access
env:
- name: DB_PASSWORD
value: "s3cret123" # Hardcoded secret
volumeMounts:
- name: docker-sock
mountPath: /var/run/docker.sock
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock # Container escape risk
---
# HARDENED: Security best practices applied
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-server
spec:
template:
spec:
containers:
- name: api
image: myapp:2.1.0@sha256:abc123...
securityContext:
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: api-secrets
key: db-password Frequently Asked Questions
What security issues does the K8s Security Scanner detect?
The scanner detects privileged containers, containers running as root (runAsUser: 0), hostPath volume mounts, dangerous Linux capabilities (SYS_ADMIN, NET_ADMIN, ALL), plaintext secrets in manifests, excessive ServiceAccount permissions, missing Ingress TLS configuration, host network/PID namespace usage, and containers without readOnlyRootFilesystem.
How is the security score calculated?
The score starts at 100 and deducts points based on finding severity: Critical issues (privileged containers, run-as-root, cluster-admin bindings) deduct 25 points, High issues (hostPath, dangerous capabilities, plaintext secrets) deduct 15, Medium issues (missing TLS, automounted service account tokens) deduct 8, and Low issues (writable root filesystem) deduct 3. The grade maps to: A (90+), B (75+), C (60+), D (40+), F (below 40).
Why are privileged containers dangerous?
Privileged containers run with all Linux capabilities and have direct access to host devices. A compromised privileged container can escape the container boundary, access host filesystems, modify kernel parameters, and potentially take over the entire node. This effectively negates all container isolation benefits.
Why is running as root flagged as critical?
When a container runs as root (UID 0) and a container escape vulnerability is exploited, the attacker gains root access to the host. Setting runAsNonRoot: true and specifying a non-zero runAsUser ensures that even if the container is compromised, the attacker's privileges on the host are limited.
What are dangerous capabilities and why are they risky?
Linux capabilities are fine-grained permissions that break up root's power. Capabilities like SYS_ADMIN (allows mounting filesystems, modifying kernel parameters), NET_ADMIN (modify network configuration), and ALL (grants every capability) can be exploited for container breakout. Best practice is to drop ALL capabilities and add only the specific ones required.
Why are hostPath volumes a security concern?
hostPath volumes mount directories from the host node's filesystem into the pod. A compromised container with hostPath access can read sensitive host files (/etc/shadow, Docker socket, kubelet credentials), modify host binaries, or escape isolation entirely. Use PersistentVolumeClaims or emptyDir instead.
Why does the scanner flag plaintext secrets in manifests?
Kubernetes Secret resources stored in YAML manifests are only base64-encoded, not encrypted. This means secrets are trivially readable by anyone with access to the manifest file or the git repository. Use external secret managers (HashiCorp Vault, AWS Secrets Manager, sealed-secrets) to inject secrets at runtime instead.
Does it support multi-document YAML files?
Yes. The scanner fully supports multi-document YAML separated by --- delimiters. Each document is analyzed independently for security issues. This is the standard format for Kubernetes manifests that bundle multiple resources (Deployments, Services, Secrets, etc.) in a single file.
Is my Kubernetes manifest sent to any server?
No. All scanning happens entirely in your browser using JavaScript. Your Kubernetes manifests — which may contain sensitive information like secret values, internal service names, namespace topology, and infrastructure details — never leave your device. No data is stored, logged, or transmitted.
What is the difference between K8s Manifest Inspector and K8s Security Scanner?
The K8s Manifest Inspector focuses on operational best practices: resource limits, probes, image tags, and imagePullPolicy. The K8s Security Scanner focuses on security vulnerabilities: privilege escalation, container breakout risks, secrets exposure, RBAC misconfigurations, and network security. Together they provide comprehensive manifest analysis.