A Kubernetes cluster security information collection and evaluation tool.
KubeSnoop systematically collects security-relevant information from Kubernetes clusters. The focus is on identifying misconfigurations, security vulnerabilities, and compliance gaps across your cluster.
- Pod Security: Security contexts, privilege escalation, capabilities
- RBAC Analysis: Roles, bindings, service accounts, permissions
- Network Security: Policies, service exposures, ingress configurations
- Resource Management: Limits, quotas, resource allocation
- Node Security: Configurations, taints, conditions
- Image Security: Tag analysis, registry information
- Flexible Rules: Store security rules in SQLite database
- Dynamic Evaluation: Add/modify rules without code changes
- Rule Management: CLI commands for rule CRUD operations
- Custom Conditions: JSONPath queries with flexible conditions
- Rule Categories: Organize rules by type and severity
- Structured JSON/YAML output optimized for AI analysis
- Standardized security finding categories
- Risk severity classification
- Remediation guidance templates
- Read-only cluster access
- Non-root execution
- Configurable data redaction
- Minimal resource footprint
# Clone and build
git clone https://github.com/kubelize/kubesnoop.git
cd kubesnoop
make build
# Import default security rules
./bin/kubesnoop rules import examples/default-rules.json
# Run against local cluster
./scripts/run-local.sh# Deploy to cluster
make deploy
# Check status
kubectl get pods -n kubesnoop
# View output
kubectl logs -n kubesnoop -l app=kubesnoop# Single scan
./bin/kubesnoop --format json --output cluster-report.json
# Daemon mode (periodic collection)
./bin/kubesnoop --daemon --interval 1h
# Target specific namespace
./bin/kubesnoop --namespace production
# Custom kubeconfig and database
./bin/kubesnoop --kubeconfig /path/to/config --db /path/to/rules.db# List all security rules
./bin/kubesnoop rules list
# Show specific rule details
./bin/kubesnoop rules show 1
# List rules by type
./bin/kubesnoop rules list pod
# Enable/disable a rule
./bin/kubesnoop rules toggle 1 false
# Delete a rule
./bin/kubesnoop rules delete 5
# Import rules from JSON file
./bin/kubesnoop rules import examples/default-rules.json
# Export rules to JSON file
./bin/kubesnoop rules export my-rules.json
# Clear all rules (reset database)
rm kubesnoop.dbCreate kubesnoop.yaml:
security_focus: true
detailed_analysis: true
exclude_namespaces:
- kube-system
- kube-public
modules:
pods: true
rbac: true
network_policies: true
secrets: falseWIP
Analyze this Kubernetes cluster for security vulnerabilities:
[kubesnoop output]
Provide prioritized recommendations focusing on:
- Critical security risks
- Compliance violations
- Best practice deviations
KubeSnoop automatically identifies common security issues:
- Privileged containers
- Host namespace usage
- Wildcard RBAC permissions
- Missing network policies
- Root user containers
- Missing resource limits
- NodePort services
- Default service accounts
- Latest image tags
- Missing labels
- Outdated configurations
TBD
kubectl run kubesnoop --image=kubesnoop:latest --rm -it --restart=NeverapiVersion: batch/v1
kind: CronJob
metadata:
name: kubesnoop-scan
spec:
schedule: "0 2 * * *" # Daily at 2 AM
jobTemplate:
spec:
template:
spec:
containers:
- name: kubesnoop
image: kubesnoop:latest# Deploy as Deployment with daemon mode
kubectl apply -f deploy/| Setting | Default | Description |
|---|---|---|
security_focus |
true |
Enable security-focused analysis |
detailed_analysis |
false |
Include detailed resource information |
exclude_namespaces |
["kube-system"] |
Namespaces to skip |
redact_sensitive |
true |
Redact sensitive information |
modules.* |
true |
Enable/disable collection modules |
KubeSnoop requires read access to:
- Pods, Services, Nodes
- NetworkPolicies, Ingresses
- Roles, RoleBindings, ClusterRoles, ClusterRoleBindings
- ServiceAccounts, Secrets (optional)
- ConfigMaps, PersistentVolumes
See deploy/rbac.yaml for complete permissions.
- Read-only: No write/delete cluster permissions
- Least Privilege: Minimal required access
- Optional Secrets: Secrets collection disabled by default
- Non-root user (UID 65534)
- Read-only root filesystem
- No privilege escalation
- Dropped capabilities
- Resource limits enforced
- Sensitive data redaction by default
- No persistent storage
- Configurable output destinations
- Encryption in transit
# Build binary
make build
# Build Docker image
make docker-build
# Run tests
make test
# Lint code
make lint- Fork the repository
- Create feature branch
- Add tests for new functionality
- Ensure security best practices
- Submit pull request
See the examples/ directory for:
- Sample output files
- Configuration examples
- Integration scripts
- Pod Security Standards analysis
- Admission controller detection
- Helm Chart
- Prometheus metrics export
- Grafana Dashboards
- Web dashboard interface
- π Documentation WIP!!!
- π Issues
- π¬ Discussions
- π Security Policy
Apache License 2.0 - see LICENSE for details.