K8s Security Scanner

Scan Kubernetes YAML manifests for security vulnerabilities like privileged containers and secrets exposure

Enter your Kubernetes YAML manifest to scan for security vulnerabilities and misconfigurations

Scanning Kubernetes Manifests for Security Vulnerabilities

Kubernetes provides powerful abstractions for deploying containerized workloads, but its default configurations are often insecure by design — favoring operational flexibility over security hardening. Containers run as root by default, host namespaces are accessible without restriction, and sensitive data can be stored in plaintext ConfigMaps. The Security Scanner analyzes your YAML manifests to detect security misconfigurations that could allow container escapes, privilege escalation, sensitive data exposure, or lateral movement within your cluster.

Each finding is classified by severity and mapped to relevant security benchmarks (CIS Kubernetes Benchmark, Pod Security Standards). The scanner provides specific remediation guidance showing exactly which fields to add or modify in your manifests to harden security posture. All analysis happens locally in your browser — your sensitive infrastructure definitions never leave your device.

Privileged Containers and Capability Misuse

The most critical Kubernetes security misconfigurations involve excessive container privileges:

  • Privileged mode: securityContext.privileged: true gives the container full access to host devices and kernel capabilities — equivalent to running as root on the host machine. A container escape in privileged mode compromises the entire node.
  • Dangerous capabilities: Linux capabilities like SYS_ADMIN, NET_ADMIN, and SYS_PTRACE grant specific kernel-level powers. Many are unnecessary for application workloads and should be dropped explicitly.
  • Running as root: Containers without runAsNonRoot: true or runAsUser run their processes as UID 0. If an attacker gains code execution, they have root privileges within the container and can attempt privilege escalation.
  • Writable root filesystem: Without readOnlyRootFilesystem: true, attackers can write malicious scripts, modify binaries, or install toolkits within the container.

The scanner detects all privilege-related misconfigurations and recommends the minimal security context needed for each container type.

Host Namespace Sharing and Volume Risks

Kubernetes allows pods to share host namespaces and mount host directories, creating attack paths that bypass container isolation:

  • hostPID/hostIPC: Sharing the host's process or IPC namespace lets containers see and signal all processes on the node, enabling process injection attacks.
  • hostNetwork: Sharing the host network namespace bypasses network policies and exposes all host ports to the container, including kubelet and API server ports.
  • hostPath volumes: Mounting host directories like /, /etc, or /var/run/docker.sock gives containers direct access to node filesystems and container runtimes.
  • Docker socket mount: Mounting /var/run/docker.sock allows containers to create sibling containers on the host — a common privilege escalation vector.

These configurations are occasionally legitimate (for node monitoring agents or log collectors) but must be explicitly justified and paired with additional security controls.

Secrets Management and Data Exposure

The scanner detects improper handling of sensitive data in Kubernetes manifests:

  • Plaintext secrets in ConfigMaps: Storing passwords, API keys, or tokens in ConfigMap data rather than Secret resources — ConfigMaps are not encrypted at rest.
  • Hardcoded credentials in environment variables: Embedding secrets directly in pod specs rather than referencing Secret resources, making them visible in kubectl describe output and audit logs.
  • Overly broad Secret mounting: Mounting entire Secrets as volumes when only one key is needed, exposing additional sensitive data to the container unnecessarily.
  • Missing encryption at rest: While detected at the cluster level, the scanner flags patterns that indicate secrets may not be properly managed.

Code Examples

Insecure Manifest vs Hardened Version

# INSECURE: Multiple security issues
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-server
spec:
  template:
    spec:
      hostNetwork: true              # Bypasses network policies
      containers:
        - name: api
          image: myapp:latest
          securityContext:
            privileged: true         # Full host access
          env:
            - name: DB_PASSWORD
              value: "s3cret123"     # Hardcoded secret
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
      volumes:
        - name: docker-sock
          hostPath:
            path: /var/run/docker.sock  # Container escape risk
---
# HARDENED: Security best practices applied
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-server
spec:
  template:
    spec:
      containers:
        - name: api
          image: myapp:2.1.0@sha256:abc123...
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          env:
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: api-secrets
                  key: db-password

Frequently Asked Questions

What security issues does the K8s Security Scanner detect?

The scanner detects privileged containers, containers running as root (runAsUser: 0), hostPath volume mounts, dangerous Linux capabilities (SYS_ADMIN, NET_ADMIN, ALL), plaintext secrets in manifests, excessive ServiceAccount permissions, missing Ingress TLS configuration, host network/PID namespace usage, and containers without readOnlyRootFilesystem.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (privileged containers, run-as-root, cluster-admin bindings) deduct 25 points, High issues (hostPath, dangerous capabilities, plaintext secrets) deduct 15, Medium issues (missing TLS, automounted service account tokens) deduct 8, and Low issues (writable root filesystem) deduct 3. The grade maps to: A (90+), B (75+), C (60+), D (40+), F (below 40).

Why are privileged containers dangerous?

Privileged containers run with all Linux capabilities and have direct access to host devices. A compromised privileged container can escape the container boundary, access host filesystems, modify kernel parameters, and potentially take over the entire node. This effectively negates all container isolation benefits.

Why is running as root flagged as critical?

When a container runs as root (UID 0) and a container escape vulnerability is exploited, the attacker gains root access to the host. Setting runAsNonRoot: true and specifying a non-zero runAsUser ensures that even if the container is compromised, the attacker's privileges on the host are limited.

What are dangerous capabilities and why are they risky?

Linux capabilities are fine-grained permissions that break up root's power. Capabilities like SYS_ADMIN (allows mounting filesystems, modifying kernel parameters), NET_ADMIN (modify network configuration), and ALL (grants every capability) can be exploited for container breakout. Best practice is to drop ALL capabilities and add only the specific ones required.

Why are hostPath volumes a security concern?

hostPath volumes mount directories from the host node's filesystem into the pod. A compromised container with hostPath access can read sensitive host files (/etc/shadow, Docker socket, kubelet credentials), modify host binaries, or escape isolation entirely. Use PersistentVolumeClaims or emptyDir instead.

Why does the scanner flag plaintext secrets in manifests?

Kubernetes Secret resources stored in YAML manifests are only base64-encoded, not encrypted. This means secrets are trivially readable by anyone with access to the manifest file or the git repository. Use external secret managers (HashiCorp Vault, AWS Secrets Manager, sealed-secrets) to inject secrets at runtime instead.

Does it support multi-document YAML files?

Yes. The scanner fully supports multi-document YAML separated by --- delimiters. Each document is analyzed independently for security issues. This is the standard format for Kubernetes manifests that bundle multiple resources (Deployments, Services, Secrets, etc.) in a single file.

Is my Kubernetes manifest sent to any server?

No. All scanning happens entirely in your browser using JavaScript. Your Kubernetes manifests — which may contain sensitive information like secret values, internal service names, namespace topology, and infrastructure details — never leave your device. No data is stored, logged, or transmitted.

What is the difference between K8s Manifest Inspector and K8s Security Scanner?

The K8s Manifest Inspector focuses on operational best practices: resource limits, probes, image tags, and imagePullPolicy. The K8s Security Scanner focuses on security vulnerabilities: privilege escalation, container breakout risks, secrets exposure, RBAC misconfigurations, and network security. Together they provide comprehensive manifest analysis.