gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

k8s tools

Browse Source
This commit is contained in:
carlospolop
2025-11-17 13:12:03 +01:00
parent 6726a5eee4
commit 77427a069a
1 changed files with 57 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
View File

@@ -4,7 +4,7 @@
## Tools to analyse a cluster
### [**Steampipe - Kubernetes Compliance](https://github.com/turbot/steampipe-mod-kubernetes-compliance)
### [Steampipe - Kubernetes Compliance](https://github.com/turbot/steampipe-mod-kubernetes-compliance)
It's will **several compliance checks over the Kubernetes cluster**. It includes support for CIS, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity technical report for Kubernetes hardening.
@@ -124,6 +124,62 @@ To install:
| Homebrew (macOS and Linux) | `brew install kube-score` |
| [Krew](https://krew.sigs.k8s.io/) (macOS and Linux) | `kubectl krew install score` |
## Tools to analyze YAML files & Helm Charts
### [**Kube-linter**](https://github.com/stackrox/kube-linter)
```bash
# Install Kube-linter
brew install kube-linter
# Run Kube-linter
## lint ./path/to/yaml/or/chart
```
### [Checkov](https://github.com/bridgecrewio/checkov)
```bash
# Install Checkov
pip install checkov
# Run Checkov
checkov -d ./path/to/yaml/or/chart
```
### [kubescore](https://github.com/zegl/kube-score)
```bash
# Install kube-score
brew install kube-score
# Run kube-score
kube-score score ./path/to/yaml
# or
helm template chart /path/to/chart | kube-score score -
# or if the chart needs some values
helm template chart /path/to/chart \
--set 'config.urls[0]=https://dummy.backend.internal' \
| kube-score score -
```
### [Kubesec](https://github.com/controlplaneio/kubesec)
```bash
# Install Kubesec
## Download from https://github.com/controlplaneio/kubesec/releases
# Run Kubesec in a yaml
kubesec scan ./path/to/yaml
# or
helm template chart /path/to/chart | kubesec scan -
# or if the chart needs some values
helm template chart /path/to/chart \
--set 'config.urls[0]=https://dummy.backend.internal' \
| kubesec scan -
```
## Tips
### Kubernetes PodSecurityContext and SecurityContext