Scan Kubernetes Clusters for misconfigurations

Scanning Kubernetes cluster for misconfigurations is essential to enhance security and optimize performance. It helps proactively identify vulnerabilities and ensure proper resource allocation, minimizing risks and ensuring efficient cluster operations.

With nctl, scan any Kubernetes clusters without deploying anything on the cluster. Just point the kubeconfig file and it will scan the cluster and generate a full fledged scan report.

The sections below details the various options of the scan command.

Scan cluster for best practices

nctl scan

The cluster scanned with this command is the cluster referenced by the default kubeconfig file located at ~/.kube/config. If the kubeconfig is in a different location, use the --kubeconfig file to point to that location. And for the policies, by default, nctl refer to the following three Nirmata curated policysets -

• Pod Security Standards (Baseline)
• Pod Security Standards (Restricted)
• RBAC Best Practices

Once the scan is complete, it provides a summary report on the policy status for different resources in the cluster grouped by Policy Category and also by namespaces. To view detailed reports, use the --expand flag.

Scan specific namespaces

nctl scan --namespace <comma-separated-list>

To scan for only specific namespaces in the cluster, use the --namespace flag to provide a list of comma separated namespaces.

Scan cluster using custom policies

nctl scan --policies /path/to/policies
nctl scan --policies https://github.com/repo/containing/policies

To scan against custom policies, use the --policies flag to point to the directory containing policies, or to a GitHub repo containing the policies.

Scan specific resource files

nctl scan --resource /path/to/resource/files

To scan specific resource files instead of all resources in a cluster, use the --resource argument to point to a directory containing the resource files. When combined with the --policies flag, this command can be used in a CI pipeline to check for misconfigurations in Kubernetes manifests.

Output formats

The scan command supports the following output formats (use the --format flag):

• pretty-print: to display tabular result on the console
• json: render the result as a JSON output
• yaml: render the result as a YAML output