Security Analysis

KubeGraf scans your Kubernetes cluster for security vulnerabilities, misconfigurations, and best practice violations. Get actionable recommendations to harden your cluster.

Running a Security Scan

# Run full security analysis
kubegraf security

# Scan specific namespace
kubegraf security -n production

# Filter by minimum severity
kubegraf security --severity high

# Output as JSON for CI/CD
kubegraf security --output json

# Output as YAML
kubegraf security --output yaml

# Exit with error code if issues found (for CI)
kubegraf security --fail-on high

Severity Levels

Level	Description	Action
Critical	Immediate security risk, potential for cluster compromise	Fix immediately
High	Significant security issue that should be addressed soon	Fix within days
Medium	Moderate risk, best practice violation	Plan remediation
Low	Minor issue or hardening recommendation	Consider fixing

Security Checks

KubeGraf performs over 50 security checks across multiple categories:

Pod Security

Critical Privileged Containers

Detects containers running in privileged mode, which grants full host access.

Critical Host PID/Network/IPC

Identifies pods sharing the host's PID, network, or IPC namespace.

High Run as Root

Finds containers running as root user (UID 0).

High Writable Root Filesystem

Containers without readOnlyRootFilesystem set to true.

Medium Missing Security Context

Pods without explicit security context defined.

Medium Capability Additions

Containers with added Linux capabilities beyond defaults.

RBAC & Access Control

Critical Cluster Admin Bindings

Identifies excessive cluster-admin role bindings.

High Wildcard Permissions

Roles with wildcard (*) permissions on resources or verbs.

High Secrets Access

ServiceAccounts with broad access to secrets.

Medium Default ServiceAccount

Pods using the default service account with auto-mounted token.

Network Security

High Missing Network Policies

Namespaces without any NetworkPolicy defined.

Medium Exposed Services

Services of type LoadBalancer or NodePort exposing sensitive ports.

Medium Ingress Without TLS

Ingress resources not configured with TLS.

Resource Configuration

High Secrets in Environment Variables

Secrets exposed as plain environment variables instead of mounted files.

Medium Missing Resource Limits

Containers without CPU/memory limits defined.

Medium Latest Image Tag

Containers using :latest or no tag, making versions unpredictable.

Low Missing Liveness/Readiness Probes

Containers without health probes configured.

Web Dashboard View

The security dashboard provides:

Overview - Summary of findings by severity
By Category - Issues grouped by check category
By Resource - Issues grouped by affected resource
Trends - Track security posture over time (requires persistence)
Remediation - Actionable fix suggestions for each issue

CI/CD Integration

Integrate security scanning into your pipeline:

# GitHub Actions example
- name: Security Scan
  run: |
    kubegraf security --output json > security-report.json
    kubegraf security --fail-on critical

# GitLab CI example
security_scan:
  script:
    - kubegraf security --severity medium --fail-on high
  artifacts:
    reports:
      junit: security-report.xml

Exit Codes

Code	Meaning
`0`	No issues found (or below threshold)
`1`	Issues found meeting --fail-on criteria
`2`	Error running scan

Suppressing Findings

Suppress known issues or false positives:

# Suppress via annotation on resource
metadata:
  annotations:
    kubegraf.io/ignore: "privileged-container,run-as-root"

# Suppress globally in config
security:
  ignore:
    - check: privileged-container
      resource: kube-system/*
      reason: "System components require privileges"
    - check: latest-tag
      resource: default/dev-*
      reason: "Development environment"

Warning: Only suppress findings after careful review. Document the reason for each suppression.

Custom Policies

Define custom security policies using Rego (Open Policy Agent):

# ~/.config/kubegraf/policies/custom.rego
package kubegraf.custom

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.containers[_].resources.limits.memory
  msg := sprintf("Deployment %s missing memory limit", [input.metadata.name])
}

deny[msg] {
  input.kind == "Pod"
  input.spec.containers[_].image
  not contains(input.spec.containers[_].image, "myregistry.io")
  msg := "Images must be from myregistry.io"
}

# Run with custom policies
kubegraf security --policy-dir ~/.config/kubegraf/policies

Configuration

# config.yaml
security:
  # Default severity threshold for display
  minSeverity: "low"
  # Checks to skip
  skipChecks:
    - "missing-probes"
  # Custom policy directory
  policyDir: "~/.config/kubegraf/policies"
  # Ignore rules
  ignore: []