K8 security tools

A list of open source Kubernetes tools to assist those learning or those with small IT budgets wishing secure their environments and CICD tool chains. I’ve done my best to categorize the tools as “Reputable” and “Beware”. Use at your own risk.

Reputable Open Source security tools


Terrascan detects security vulnerabilities and compliance violations across your Infrastructure as Code. Mitigate risks before provisioning cloud native infrastructure. Run locally or integrate with your CI\CD.

  • 500+ Policies for security best practices
  • Scanning of Terraform (HCL2)
  • Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize v3
  • Support for AWS, Azure, GCP, Kubernetes and GitHub


kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.


kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don’t own!


The Falco Project, originally created by Sysdig, is an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.


Grype – A vulnerability scanner for container images and filesystems

Syft – CLI tool and library for generating a Software Bill of Materials from container images and filesystems

anchore-engine – A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

Anchore Kubernetes Admission Controller – It implements a Kubernetes Dynamic Webhook controller for interacting with Anchore Engine and making admission decisions based image properties as determined during analysis by Anchore Engine.


ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. The tool is a part of the “Kubernetes Pentest Methdology” blog post series.



Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL] in Kubernetes.


Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio’s control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes.



For example, by deploying OPA as an admission controller you can:

  • Require specific labels on all resources.
  • Require container images come from the corporate image registry.
  • Require all Pods specify resource requests and limits.
  • Prevent conflicting Ingress objects from being created.


kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).


Encrypt your Secret into a SealedSecret, which is safe to store – even to a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret

BEWARE / untested – security tools