Kubescape

The first open-source tool for testing if Kubernetes is deployed securely as defined in the
Kubernetes Hardening Guidance by NSA and CISA

Run Kubescape in one command

watch the guide

results page in seconds

to learn more visit the kuberscape         GitHub page

Kubescape is running the following tests according to what is defined by Kubernetes Hardening Guidance by NSA and CISA –

  • Non-root containers

  • Immutable container filesystem

  • Privileged containers

  • hostPID, hostIPC privileges

  • hostNetwork access

  • allowedHostPaths field

  • Protecting pod service account tokens

  • Resource policies

  • Control plane hardening

  • Exposed dashboard

  • Allow privilege escalation

  • Applications credentials in configuration files

  • Cluster-admin binding

  • Exec into container

  • Dangerous capabilities

  • Insecure capabilities

  • Linux hardening

Kubescape is open-source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the Kubernetes community to help make the tests themselves more robust and complete as Kubernetes develops.