Kubernetes Security Checklist 2021

This page summarizes the projects mentioned and recommended in the original post on dev.to

Nutrient - The #1 PDF SDK Library
Bad PDFs = bad UX. Slow load times, broken annotations, clunky UX frustrates users. Nutrient’s PDF SDKs gives seamless document experiences, fast rendering, annotations, real-time collaboration, 100+ features. Used by 10K+ devs, serving ~half a billion users worldwide. Explore the SDK for free.
nutrient.io
featured
CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
  1. rbac-tool

    Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

    Role-Based Access Control (RBAC) should be configured for the Kubernetes cluster. Rights need to be assigned within the project namespace based on least privilege and separation of duties (RBAC-tool)

  2. Nutrient

    Nutrient - The #1 PDF SDK Library. Bad PDFs = bad UX. Slow load times, broken annotations, clunky UX frustrates users. Nutrient’s PDF SDKs gives seamless document experiences, fast rendering, annotations, real-time collaboration, 100+ features. Used by 10K+ devs, serving ~half a billion users worldwide. Explore the SDK for free.

    Nutrient logo
  3. KubiScan

    A tool to scan Kubernetes cluster for risky permissions

    RBAC Rights should be audited regularly (KubiScan, Krane)

  4. krane

    Kubernetes RBAC static analysis & visualisation tool (by appvia)

    RBAC Rights should be audited regularly (KubiScan, Krane)

  5. Kyverno

    Cloud Native Policy Management

    Use Policy engine (OPA, Kyverno)

  6. sealed-secrets

    A Kubernetes controller and tool for one-way encrypted Secrets

    Secrets should be added to the container using the volumeMount mechanism or the secretKeyRef mechanism. For hiding secrets in source codes, for example, the sealed-secret tool can be used.

  7. falco

    Cloud Native Runtime Security

    Use third-party security monitoring tool on all cluster nodes (Falco, Sysdig, Aqua Enterpise, NeuVector, Prisma Cloud Compute)

  8. documentation

    Discontinued Kata Containers version 1.x documentation (for version 2.x see https://github.com/kata-containers/kata-containers). (by kata-containers)

    For services with increased security requirements, it is recommended to use a low-level run-time with a high degree of isolation (gVisior, Kata-runtime)

  9. CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo
  10. lynis

    Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

    It is recommended to regularly scan packages and configuration for vulnerabilities(OpenSCAP profiles, Lynis)

  11. kube-bench

    Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  12. kube-hunter

    Hunt for security weaknesses in Kubernetes clusters

    Cluster Configuration should be audited regularly (Kube-bench, Kube-hunter, Kubestriker)

  13. scope

    Monitoring, visualisation & management for Docker & Kubernetes

    Build observability and visibility processes in order to understand what is happening in infrastructure and services (Luntry, WaveScope)

  14. cvehound

    Check linux sources dump for known CVEs.

    It is recommended to regularly update the OS kernel version (CVEhound)

  15. inspektor-gadget

    Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF

    All namespaces should have NetworkPolicy. Interactions between namespaces should be limited to NetworkPolicy following least privileges principles (Inspektor Gadget)

  16. udica

    This repository contains a tool for generating SELinux security profiles for containers

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  17. oci-seccomp-bpf-hook

    OCI hook to trace syscalls and generate a seccomp profile

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  18. go2seccomp

    Generate seccomp profiles from go binaries

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  19. security-profiles-operator

    The Kubernetes Security Profiles Operator

    The application should have a seccomp, apparmor or selinux profile according to the principles of least privileges (Udica, Oci-seccomp-bpf-hook, Go2seccomp, Security Profiles Operator)

  20. kubeaudit

    Discontinued kubeaudit helps you audit your Kubernetes clusters against common security controls

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  21. kubescape

    Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  22. conftest

    Write tests against structured configuration data using the Open Policy Agent Rego query language

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  23. kubesec

    Security risk analysis for Kubernetes resources

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  24. checkov

    Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

    Workload configuration should be audited regularly (Kics, Kubeaudit, Kubescape, Conftest, Kubesec, Checkov)

  25. syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    It is necessary to explicitly indicate the versions of the installed packages. The SBOM building tools (Syft) can be used to determine the list of packages.

  26. hadolint

    Dockerfile linter, validate inline bash, written in Haskell

    Dockerfile should be checked during development by automated scanners (Kics, Hadolint, Conftest)

  27. trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  28. clair

    Vulnerability Static Analysis for Containers

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  29. grype

    A vulnerability scanner for container images and filesystems

    All images should be checked in the application lifecycle by automated scanners (Trivy, Clair, Grype)

  30. slsa

    Supply-chain Levels for Software Artifacts

    Build secure CI and CD as same as suply chain process (SLSA)

  31. SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Top 8 Docker Alternatives to Consider in 2025

    6 projects | dev.to | 24 Dec 2024
  • Comparing 3 Docker container runtimes - Runc, gVisor and Kata Containers

    5 projects | dev.to | 29 Oct 2024
  • Fastly and the Linux kernel

    26 projects | dev.to | 24 Jun 2024
  • Reasons to Drop Docker for Podman

    6 projects | news.ycombinator.com | 6 Aug 2023
  • The StackRox Kubernetes Security Platform is now open source

    1 project | /r/kubernetes | 28 Jun 2023

Did you know that Go is
the 4th most popular programming language
based on number of references?