brew install kubeaudit
go get -v github.com/Shopify/kubeaudit
1、Manifest模式 2、本地模式 3、集群模式
kubeaudit all -f "/path/to/manifest.yml"
$ kubeaudit all -f "internal/test/fixtures/all_resources/deployment-apps-v1.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: deployment-apps-v1
--------------------------------------------
-- [error] AppArmorAnnotationMissing
Message: AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/container' should be added.
Metadata:
Container: container
MissingAnnotation: container.apparmor.security.beta.kubernetes.io/container
-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.
-- [error] CapabilityShouldDropAll
Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
Metadata:
Container: container
Capability: AUDIT_WRITE
...
All checks completed. 0 high-risk vulnerabilities found
kubeaudit autofix -f "/path/to/manifest.yml"
kubeaudit all
kubeaudit all --kubeconfig "/path/to/config" --context my_cluster
精彩推荐