Kubernetes KSPM

Infrastructurev2.0.0

Agentless Kubernetes Security Posture Management with 150+ checks, 19 check groups, OPA/Rego + Kyverno integration, and supply chain security

150+
checks
19
groups
6
frameworks
5
loc

01Overview

Kubernetes Security Posture Management (KSPM) Scanner is an agentless, single-file Python tool that connects to a live cluster through your existing kubeconfig or in-cluster service account and runs a comprehensive security posture assessment against the Kubernetes API. There are no agents, sidecars, or DaemonSets to deploy — it reads the cluster read-only and needs only the `kubernetes` Python client, with every other dependency degrading gracefully when absent.

Under the hood it ships roughly 146 discrete rules organized into 19 check groups spanning RBAC, workload/pod hardening, images, network policy, namespaces, secrets, service accounts, control-plane configuration, storage, admission control, nodes, availability (PDB/HPA), service mesh, deprecated APIs, runtime/ephemeral containers, advanced graph-based RBAC, supply chain, and Kyverno policy health. A v2.0.0 policy engine layers a custom YAML policy DSL, OPA/Rego execution (via the `opa` binary), and Kyverno validation on top of the built-in checks, so teams can codify their own guardrails without forking the scanner.

It is built for platform and security engineers who need CI/CD-friendly, benchmark-aligned cluster assessments. Every finding is mapped across six compliance frameworks — CIS Kubernetes Benchmark, NSA/CISA Hardening Guide, MITRE ATT&CK for Containers, SOC 2, PCI-DSS v4.0, and NIST SP 800-190 — and results export to five formats including SARIF v2.1.0 for the GitHub Security tab and PDF executive summaries. Baseline profiles (dev/staging/production), an exception allow-list, RBAC baseline drift tracking, scan-to-scan diffing, multi-cluster runs, and Slack/Teams webhooks make it practical to wire directly into pipeline gates, where a non-zero exit code on CRITICAL/HIGH findings fails the build.

What makes it notable is the depth beyond a static config linter: graph-based RBAC escalation-path analysis, supply-chain checks that drive Trivy/Grype CVE scans plus cosign signature verification and SBOM generation, and managed-cluster awareness that degrades control-plane checks to informational findings on EKS/GKE/AKS where the API server is not a visible pod.

02Key Capabilities

Agentless live-cluster scanning

Assesses posture by querying the Kubernetes API through kubeconfig or in-cluster config — no pods, sidecars, or DaemonSets required, and all checks are strictly read-only.

~150 checks across 19 groups

Roughly 146 rules covering RBAC, pod/workload hardening, images, network, namespaces, secrets, service accounts, cluster config, storage, admission, nodes, availability, mesh, deprecated APIs, and runtime security.

v2.0.0 policy engine

Define custom checks in a YAML policy DSL, run OPA/Rego policies via the opa binary, and validate Kyverno policy health — all pluggable via --policy-dir, --rego-dir, and cluster detection.

Graph-based advanced RBAC analysis

Builds a SA→RoleBinding→Role permission graph to surface multi-hop escalation paths, dormant service accounts, orphaned bindings, and overly broad roles beyond simple wildcard matching.

Supply chain & image security

Drives Trivy/Grype CVE scanning, cosign signature verification, SBOM generation, EOL/insecure base-image detection, and registry allow-list enforcement via --trusted-registries.

Six compliance frameworks

Every finding is mapped to CIS, NSA/CISA, MITRE ATT&CK for Containers, SOC 2, PCI-DSS v4.0, and NIST 800-190, with a per-framework coverage dashboard in the HTML report.

Baseline profiles & exceptions

Built-in dev/staging/production profiles tune severity thresholds and suppressions, while a YAML/JSON exception file allow-lists accepted findings using glob matching on rule ID and resource.

RBAC drift & scan diffing

Save an RBAC baseline and compare later to detect permission drift, and diff two scan JSONs to see new, resolved, and persistent findings with severity deltas.

Multi-cluster scanning

Scan several contexts in a single run with --contexts, producing consolidated summaries and per-cluster reports.

Five output formats

Colored console, machine-readable JSON, interactive dark-themed HTML, SARIF v2.1.0 for GitHub Security, and PDF executive summaries (reportlab with a stdlib fallback).

CI/CD gating & notifications

Returns exit code 1 on CRITICAL/HIGH findings for pipeline gates, and pushes severity summaries to Slack and Microsoft Teams webhooks.

Managed-cluster awareness

Gracefully handles EKS/GKE/AKS where the API server is not a visible pod, downgrading control-plane checks to informational findings instead of failing.

03Architecture

A single-file Python scanner (kspm_scanner.py, ~5,600 LOC) built around a Finding class and a KSPMScanner class that connects to the Kubernetes API, runs ~20 grouped `_check_*` methods, applies the v2.0.0 policy engine and profile/exception filters, then serializes results through five reporter methods. Data flows from live API collection to per-group rule evaluation to compliance-mapping enrichment to multi-format export.

1
API connection & collection
Loads kubeconfig or in-cluster config via the kubernetes client, resolves one or many contexts, and lists workloads, RBAC objects, network/admission/policy resources read-only.
2
Check engine (_check_* methods)
~20 grouped methods (_check_rbac, _check_workloads/_check_pod_spec, _check_network_security, _check_advanced_rbac, _check_supply_chain, _check_kyverno_policies, etc.) emit Finding objects.
3
Policy engine (v2.0.0)
_run_custom_policies loads YAML DSL rules, _run_rego_policies shells out to opa eval, and Kyverno validation checks installed policy health — all merged into the findings stream.
4
Compliance mapping
Six class-level dicts (CIS_MAP, NSA_CISA_MAP, MITRE_MAP, SOC2_MAP, PCIDSS_MAP, NIST_800_190_MAP) enrich each finding; compliance_summary() computes per-framework coverage.
5
Filtering & post-processing
_apply_profile applies dev/staging/production thresholds, _apply_exceptions allow-lists findings via glob, and diff/baseline logic compares against prior scans.
6
Reporters
save_json, save_html, save_sarif, save_pdf, plus console output and notify_slack/notify_teams render findings; exit code is derived from CRITICAL/HIGH counts.

04Project Structure

kspm_scanner.pyThe entire scanner — Finding class, KSPMScanner engine, all check groups, policy engine, compliance maps, and all reporters (~5,600 LOC, single file by design).
README.mdFull documentation: feature list, 19 check-group table, policy-engine DSL examples, CIS/compliance mappings, CLI reference, and required RBAC.
CLAUDE.mdArchitecture and contributor guide — core pattern, rule-ID convention table, severity model, output formats, and versioned roadmap (v1.1.0→v2.0.0).
test_data/test_kspm_scanner.pyUnittest suite (82 tests in TestKSPMScanner) exercising rule logic against mocked Kubernetes objects.
test_data/run_test.pyIntegration harness that mocks the kubernetes client with a deliberately insecure fake cluster to drive every check group end-to-end.
banner.svgProject banner rendered at the top of the README.
LICENSEMIT license.
.gitignoreExcludes IDE and local artifact files from the repo.

05Security Controls

RBAC security (K8S-RBAC-001–015)
Detects cluster-admin bindings, wildcard permissions, secrets access, pod exec/attach, escalate/bind/impersonate verbs, anonymous/unauthenticated bindings, CSR approval, and SA token creation.
Advanced graph-based RBAC (K8S-RBAC-016–027)
Builds a permission graph to find dormant SAs, cross-namespace and multi-hop escalation paths, overly broad roles, orphaned bindings, match-all aggregate selectors, and RBAC baseline drift.
Workload/pod hardening (K8S-POD-001–025)
Flags privileged containers, root user, hostNetwork/PID/IPC, privilege escalation, dangerous capabilities (SYS_ADMIN/ALL/NET_RAW), writable root FS, missing limits/probes, seccomp, AppArmor/SELinux, and unsafe sysctls.
Network security (K8S-NET-001–010)
Missing NetworkPolicies, allow-all ingress/egress, LoadBalancer/NodePort exposure, ExternalIPs, Ingress without TLS, wildcard hosts, and ExternalName services.
Cluster / control-plane config (K8S-CLUSTER-001–010)
API server anonymous auth, insecure port, audit logging, admission controllers, encryption at rest, profiling, plus Dashboard exposure and Tiller (Helm v2) detection — degraded to informational on managed clusters.
Secrets & namespaces (K8S-SECRET, K8S-NS, K8S-SA)
Secrets in env vars, sensitive ConfigMap keys, incomplete TLS secrets, Pod Security Admission label/level checks, missing ResourceQuota/LimitRange, and risky default service-account usage.
Supply chain security (K8S-SC-001–010)
Trivy/Grype image CVE scanning, cosign signature verification, SBOM generation, EOL/insecure base-image detection, registry allow-list enforcement, and image-verification admission-policy checks.
Admission, node & availability
Webhook failurePolicy/scope/timeout issues (K8S-ADM), kubelet/runtime/kernel version and node-health checks (K8S-NODE), and PDB/HPA availability guardrails (K8S-PDB/HPA).
Service mesh, deprecated APIs & runtime
Istio/Linkerd sidecar and mTLS mode checks (K8S-MESH), deprecated/removed API versions and PSP remnants (K8S-API), and RuntimeClass/ephemeral debug-container detection (K8S-RC/EPH).
Policy validation & custom guardrails
Kyverno policy-health checks (K8S-KYV-001–006), plus user-authored YAML DSL rules (K8S-CUSTOM) and OPA/Rego policies (K8S-OPA/REGO) evaluated at scan time.

06Technology Stack

Language
Python 3.8+ (single-file scanner)
Required dependency
kubernetes (official Python client)
Optional dependencies
reportlab (PDF), PyYAML (policies/exceptions), opa binary (Rego)
External tools (supply chain)
Trivy / Grype (CVE), cosign (signatures), Syft/Trivy (SBOM)
Testing
unittest — 82 tests in test_kspm_scanner.py plus a mock-cluster integration harness (run_test.py)
Output formats
Console, JSON, HTML, SARIF v2.1.0, PDF
Deployment
Run directly via python kspm_scanner.py using kubeconfig or in-cluster config; no build step

07Quick Start

$ pip install kubernetes  # only required dependency (reportlab, pyyaml, opa are optional)
$ python kspm_scanner.py --html report.html --json scan.json  # scan default kubeconfig, write reports
$ python kspm_scanner.py --profile production --severity HIGH  # strict CI gate, exit 1 on CRITICAL/HIGH
$ python kspm_scanner.py --sarif results.sarif  # SARIF v2.1.0 for the GitHub Security tab
$ python kspm_scanner.py --policy-dir ./policies/ --rego-dir ./rego/ --exceptions exceptions.yaml  # custom policy engine
$ python kspm_scanner.py --contexts dev,staging,prod --baseline-compare rbac-baseline.json  # multi-cluster + RBAC drift

08Compliance & Frameworks

CIS Kubernetes Benchmark
Rules mapped to CIS sections (24 mappings) for Kubernetes hardening best practices.
NSA/CISA Hardening Guide v1.2
50 rules mapped to NSA sections 1–5 for US government container hardening guidance.
MITRE ATT&CK for Containers
60+ rules mapped to techniques such as T1190, T1609, T1611, and T1613.
SOC 2 Trust Services Criteria
48 rules mapped to CC6/CC7/CC8/A1 service-organization controls.
PCI-DSS v4.0
37 rules mapped to payment-card industry requirements 1–11.
NIST SP 800-190
36 rules mapped to the application container security guide (sections 3.1–3.5).

09Integrations & Outputs

kubeconfig / in-cluster service account (data source)Trivy, Grype, cosign, Syft (supply-chain tooling)OPA (opa eval) and Kyverno (policy validation)SARIF v2.1.0 export for GitHub Security tabSlack and Microsoft Teams webhooksJSON/PDF/HTML report exports for CI/CD

Explore Kubernetes KSPM

Full source, documentation, and deployment guides live on GitHub.