How to Secure Kubernetes YAML Files with Kubesec: Step‑by‑Step Guide

1. System Environment

The tutorial assumes a Kubernetes 1.22.2 cluster running on Ubuntu 18.04 LTS with Docker 20.10.14 on x86_64 hardware. The cluster consists of one master node (k8scludes1) and two worker nodes (k8scludes2, k8scludes3), each running the standard Kubernetes components and Calico networking.

2. Introduction

In modern cloud‑native environments, Kubernetes is the de‑facto platform for container orchestration, and YAML manifests are the primary way to describe cluster resources. Ensuring the security of these YAML files is essential for protecting the cluster. This guide shows how to use the Kubesec tool to assess and improve the security posture of Kubernetes manifests.

3. What is Kubesec

Kubesec is an open‑source security assessment tool for Kubernetes configurations, developed by controlplane.io. It analyses YAML files against a set of best‑practice rules, identifies risky settings, and offers remediation advice. The tool can be obtained from its official website or GitHub repository.

4. Using Kubesec to Scan YAML

First, generate a basic pod manifest with a dry‑run command:

root@k8scludes1:~# kubectl run podyamlsafe --image=hub.c.163.com/library/centos:latest --image-pull-policy=IfNotPresent --dry-run=client -o yaml > podyamlsafe.yaml

Download and extract the Kubesec binary:

root@k8scludes1:~# ll -h kubesec_linux_amd64.tar.gz
-rw-r--r-- 1 root root 3.9M Jun 18 22:27 kubesec_linux_amd64.tar.gz
root@k8scludes1:~# tar xf kubesec_linux_amd64.tar.gz
root@k8scludes1:~# ll -h kubesec*
-rwxr-xr-x 1 1001 docker 11M Sep 22 2021 kubesec*

Move the executable to a directory in the PATH: root@k8scludes1:~# mv kubesec /usr/local/bin/ Run Kubesec against the manifest:

root@k8scludes1:~# kubesec scan podyamlsafe.yaml
[ { "object": "Pod/podyamlsafe.default", "valid": true, "fileName": "podyamlsafe.yaml", "message": "Passed with a score of 0 points", "score": 0, "scoring": { "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "ServiceAccountName", "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "LimitsMemory", "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 }, { "id": "ReadOnlyRootFilesystem", "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non‑root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high‑UID user to avoid conflicts with the host's user table", "points": 1 } ] } } ]

The output lists security recommendations such as enabling AppArmor profiles, configuring ServiceAccounts, applying Seccomp, setting CPU/memory limits and requests, dropping unnecessary Linux capabilities, using a read‑only root filesystem, and running containers as non‑root users.

5. Conclusion

Using Kubesec to scan Kubernetes YAML manifests provides a straightforward way to discover and remediate configuration weaknesses, helping to harden the cluster against potential attacks.