awesome-kubernetes-security/README.md

# :lock: awesome-kubernetes-security [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)

A curated list of awesome Kubernetes security resources. Can you dig it?

## Open Source Projects

- [aad-pod-identity](https://github.com/Azure/aad-pod-identity/) -  Assign Azure AD idenitites to pods in Kubernetes, in order to access Azure resources
- [audit2rbac](https://github.com/liggitt/audit2rbac) - Autogenerate RBAC policies based on Kubernetes audit logs
- [CDK](https://github.com/cdk-team/CDK) - Zero Dependency Container Penetration Toolkit
- [Deepfence ThreatMapper](https://github.com/deepfence/ThreatMapper) - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless
- [cnspec](https://cnspec.io) - Scan Kubernetes clusters, containers, and manifest files for vulnerabilities and misconfigurations
- [falco](https://github.com/falcosecurity/falco) - Container Native Runtime Security
- [KBOM](https://github.com/ksoclabs/kbom) - Kubernetes Bill of Materials Toolkit
- [kdigger](https://github.com/quarkslab/kdigger) - Kubernetes focused container assessment and context discovery tool for penetration testing
- [kiam](https://github.com/uswitch/kiam) - Integrate AWS IAM with Kubernetes
- [kube-bench](https://github.com/aquasecurity/kube-bench) - Check whether Kubernetes is deployed according to security best practics
- [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters
- [kube-psp-advisor](https://github.com/sysdiglabs/kube-psp-advisor) - Help building an adaptive and fine-grained pod security policy
- [kube-scan](https://github.com/octarinesec/kube-scan) - k8s cluster risk assessment tool
- [kubescape](https://github.com/kubescape/kubescape) - k8s risk analysis, security compliance, and misconfiguration scanning.
- [kubelight - WIP but promising](https://github.com/OWASP/KubeLight) - OWASP project to scan your Kubernetes Cluster for Security & Compliance.
- [Kubei](https://github.com/Portshift/kubei) - Vulnerabilities scanner for Kubernetes clusters
- [kube2iam](https://github.com/jtblin/kube2iam) - Provide different AWS IAM roles for pods running on Kubernetes
- [kubeaudit](https://github.com/Shopify/kubeaudit) - Audit your Kubernetes clusters against common security controls
- [kubectl-bindrole](https://github.com/Ladicle/kubectl-bindrole) - Find Kubernetes roles bound to a specified ServiceAccount, Group or User
- [kubectl-dig](https://github.com/sysdiglabs/kubectl-dig) - Deep Kubernetes visibility from the kubectl
- [kubectl-kubesec](https://github.com/stefanprodan/kubectl-kubesec) - Scan Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io
- [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can) - Show who has permissions to \<verb\> \<resource\> in Kubernetes
- [OWASP Top Ten for Kubernetes](https://owasp.org/www-project-kubernetes-top-ten/) -  The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity
- [terrascan](https://github.com/accurics/terrascan) - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure
- [kyverno](https://github.com/nirmata/kyverno) - Kubernetes Native Policy Management
- [netchecks](https://github.com/hardbyte/netchecks/) - Tool to validate assumptions about the network
- [rakkess](https://github.com/corneliusweig/rakkess) - Review access matrix for Kubernetes server resources
- [rback](https://github.com/team-soteria/rback) - RBAC in Kubernetes visualizer
- [red-kube](https://github.com/lightspin-tech/red-kube) - K8S Adversary Emulation Based on kubectl
- [steampipe](https://github.com/turbot/steampipe) - Use SQL to query your cloud services (AWS, Azure, GCP and more) running Kubernetes
- [steampipe-kubernetes](https://github.com/turbot/steampipe-plugin-kubernetes) - Use SQL to query your Kubernetes resources
- [steampipe-kubernetes-compliance](https://github.com/turbot/steampipe-mod-kubernetes-compliance) - Kubernetes compliance scanning tool for CIS, NSA & CISA Cybersecurity technical report for Kubernetes hardening.
- [trivy](https://github.com/aquasecurity/trivy) - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
- [trivy-operator](https://github.com/aquasecurity/trivy-operator) - Kubernetes-native security (Vulnerabilities,IaC MisConfig,Exposed Secrets,RBAC Assessment,Compliance and more) toolkit for kubernetes
- [kubernetes-rbac-audit](https://github.com/cyberark/kubernetes-rbac-audit) - Tool for auditing RBACs in Kubernetes
- [kubernetes-external-secrets](https://github.com/external-secrets/kubernetes-external-secrets) - Tool to get External Secrets from Hashicorp Vault and AWS SSM
- [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator) - An operator to create Kubernetes secrets from Vault for a secure GitOps based workflow

## General Resources

- [Kubernetes Security and Disclosure Information](https://kubernetes.io/docs/reference/issues-security/security/)
- [Kubernetes Security](https://kubernetes-security.info/)
- [GKE Security Bulletins](https://cloud.google.com/kubernetes-engine/docs/security-bulletins)
- [CKS Certified Kubernetes Security Specialist resources repo](https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist)
- [Kubernetes Security Checklist and Requirements](https://github.com/Vinum-Security/kubernetes-security-checklist)
- [OWASP Kubernetes Security Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)
- [Securing Kubernetes Clusters](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)
- [Kubernetes Security : 6 Best Practices for 4C Security Model](https://spacelift.io/blog/kubernetes-security)

## Twitter Accounts

- [Andrew Martin](https://twitter.com/sublimino)
- [Ann N Wallace](https://twitter.com/annnwallace)
- [Annabelle Bertucio](https://twitter.com/WhyHiAnnabelle)
- [Brad Geessaman](https://twitter.com/bradgeesaman)
- [Duffie Cooley](https://twitter.com/mauilion)
- [Erik St. Martin](https://twitter.com/erikstmartin)
- [Greg Castle](https://twitter.com/mrgcastle)
- [Ian Coldwater](https://twitter.com/iancoldwater)
- [Jimmy Mesta](https://twitter.com/jimmesta)
- [Jordan Liggitt](https://twitter.com/liggitt)
- [learnk8s](https://twitter.com/learnk8s)
- [Liz Rice](https://twitter.com/lizrice)
- [Mark Manning](https://twitter.com/antitree)
- [Maya Kaczorowski](https://twitter.com/MayaKaczorowski)
- [Michael Ducy](https://twitter.com/mfdii)
- [Michael Hausenblas](https://twitter.com/mhausenblas)
- [Peter Benjamin](https://twitter.com/petermbenjamin)
- [Rory McCune](https://twitter.com/raesene)
- [Tabitha Sable](https://twitter.com/TabbySable)
- [Tim Allclair](https://twitter.com/tallclair)
- [Timothy St. Clair](https://twitter.com/timothysc)
- [Sangam Biradar](https://github.com/sangam14)
initial commit 2019-05-21 22:19:55 +00:00			`# :lock: awesome-kubernetes-security [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)`
Add initial list of Kubernetes security tool 2019-05-26 20:05:49 +00:00
			`A curated list of awesome Kubernetes security resources. Can you dig it?`

Updates 2020-01-24 17:25:02 +00:00			`## Open Source Projects`

Add aad-pod-identity 2021-11-24 16:04:37 +00:00			`- [aad-pod-identity](https://github.com/Azure/aad-pod-identity/) - Assign Azure AD idenitites to pods in Kubernetes, in order to access Azure resources`
Add descriptions 2019-05-26 20:13:56 +00:00			`- [audit2rbac](https://github.com/liggitt/audit2rbac) - Autogenerate RBAC policies based on Kubernetes audit logs`
Merge branch 'master' into dev1 2023-07-06 10:21:12 +00:00			`- [CDK](https://github.com/cdk-team/CDK) - Zero Dependency Container Penetration Toolkit`
Add ThreatMapper 2021-12-02 17:08:02 +00:00			`- [Deepfence ThreatMapper](https://github.com/deepfence/ThreatMapper) - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless`
Add cnspec tool OSS CLI tool to scan K8s clusters, manifests, containers, container registries + a lot more. Signed-off-by: Tim Smith <tsmith84@gmail.com> 2023-02-17 00:56:12 +00:00			`- [cnspec](https://cnspec.io) - Scan Kubernetes clusters, containers, and manifest files for vulnerabilities and misconfigurations`
Updates 2020-01-24 17:25:02 +00:00			`- [falco](https://github.com/falcosecurity/falco) - Container Native Runtime Security`
Update README.md add red-kube and KBOM 2023-07-06 10:24:47 +00:00			`- [KBOM](https://github.com/ksoclabs/kbom) - Kubernetes Bill of Materials Toolkit`
Added kdigger to the open source projects list 2023-03-06 16:40:31 +00:00			`- [kdigger](https://github.com/quarkslab/kdigger) - Kubernetes focused container assessment and context discovery tool for penetration testing`
Add descriptions 2019-05-26 20:13:56 +00:00			`- [kiam](https://github.com/uswitch/kiam) - Integrate AWS IAM with Kubernetes`
			`- [kube-bench](https://github.com/aquasecurity/kube-bench) - Check whether Kubernetes is deployed according to security best practics`
			`- [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters`
			`- [kube-psp-advisor](https://github.com/sysdiglabs/kube-psp-advisor) - Help building an adaptive and fine-grained pod security policy`
Updates 2020-01-24 17:25:02 +00:00			`- [kube-scan](https://github.com/octarinesec/kube-scan) - k8s cluster risk assessment tool`
docs: add links for kubescape & kubelight kubescape is a really active project and complete scanning tool, with a lot of report/output available. kubelight [WIP but seems very useful] allow you to check your PCI-DSS/SOC2 compliance directly. 2023-06-09 07:37:11 +00:00			`- [kubescape](https://github.com/kubescape/kubescape) - k8s risk analysis, security compliance, and misconfiguration scanning.`
			`- [kubelight - WIP but promising](https://github.com/OWASP/KubeLight) - OWASP project to scan your Kubernetes Cluster for Security & Compliance.`
Update README.md adding Kubei, an opensource vulnerabilities scanner designed to run locally inside Kubernetes clusters to provide an accurate snapshot of the known CVEs/Docker CIS benchmarks designed for large scale Kubernetes clusters (parallel scanners options, namespaces and severity selection options) 2021-12-12 15:04:56 +00:00			`- [Kubei](https://github.com/Portshift/kubei) - Vulnerabilities scanner for Kubernetes clusters`
Add descriptions 2019-05-26 20:13:56 +00:00			`- [kube2iam](https://github.com/jtblin/kube2iam) - Provide different AWS IAM roles for pods running on Kubernetes`
			`- [kubeaudit](https://github.com/Shopify/kubeaudit) - Audit your Kubernetes clusters against common security controls`
			`- [kubectl-bindrole](https://github.com/Ladicle/kubectl-bindrole) - Find Kubernetes roles bound to a specified ServiceAccount, Group or User`
			`- [kubectl-dig](https://github.com/sysdiglabs/kubectl-dig) - Deep Kubernetes visibility from the kubectl`
			`- [kubectl-kubesec](https://github.com/stefanprodan/kubectl-kubesec) - Scan Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io`
Minor 2020-01-24 17:28:00 +00:00			`- [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can) - Show who has permissions to \<verb\> \<resource\> in Kubernetes`
Update README.md 2022-09-09 13:41:29 +00:00			`- [OWASP Top Ten for Kubernetes](https://owasp.org/www-project-kubernetes-top-ten/) - The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity`
Update README.md 2021-12-08 00:06:32 +00:00			`- [terrascan](https://github.com/accurics/terrascan) - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure`
Add kyverno 2020-01-30 17:31:18 +00:00			`- [kyverno](https://github.com/nirmata/kyverno) - Kubernetes Native Policy Management`
add netchecks 2023-06-19 06:22:43 +00:00			`- [netchecks](https://github.com/hardbyte/netchecks/) - Tool to validate assumptions about the network`
Add descriptions 2019-05-26 20:13:56 +00:00			`- [rakkess](https://github.com/corneliusweig/rakkess) - Review access matrix for Kubernetes server resources`
Change rback GitHub link from fork to parent While the rback fork linked to previously may have been more up-to-date in the past, the original upstream parent repository now appears to be more up-to-date 2021-01-13 01:36:54 +00:00			`- [rback](https://github.com/team-soteria/rback) - RBAC in Kubernetes visualizer`
Update README.md add red-kube and KBOM 2023-07-06 10:24:47 +00:00			`- [red-kube](https://github.com/lightspin-tech/red-kube) - K8S Adversary Emulation Based on kubectl`
Add Steampipe Kube tooling 2021-12-09 16:06:59 +00:00			`- [steampipe](https://github.com/turbot/steampipe) - Use SQL to query your cloud services (AWS, Azure, GCP and more) running Kubernetes`
			`- [steampipe-kubernetes](https://github.com/turbot/steampipe-plugin-kubernetes) - Use SQL to query your Kubernetes resources`
			`- [steampipe-kubernetes-compliance](https://github.com/turbot/steampipe-mod-kubernetes-compliance) - Kubernetes compliance scanning tool for CIS, NSA & CISA Cybersecurity technical report for Kubernetes hardening.`
Add trivy 2020-01-24 17:29:29 +00:00			`- [trivy](https://github.com/aquasecurity/trivy) - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI`
docs: add trivy operator Signed-off-by: chenk <hen.keinan@gmail.com> 2023-01-11 07:58:54 +00:00			`- [trivy-operator](https://github.com/aquasecurity/trivy-operator) - Kubernetes-native security (Vulnerabilities,IaC MisConfig,Exposed Secrets,RBAC Assessment,Compliance and more) toolkit for kubernetes`
Added another tool Added another tool to the open-source project list 2020-05-10 16:07:35 +00:00			`- [kubernetes-rbac-audit](https://github.com/cyberark/kubernetes-rbac-audit) - Tool for auditing RBACs in Kubernetes`
adding external secrets open source project 2021-12-12 00:57:27 +00:00			`- [kubernetes-external-secrets](https://github.com/external-secrets/kubernetes-external-secrets) - Tool to get External Secrets from Hashicorp Vault and AWS SSM`
Add Vault Secrets Operator 2022-04-13 02:34:34 +00:00			`- [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator) - An operator to create Kubernetes secrets from Vault for a secure GitOps based workflow`
Updates 2020-01-24 17:25:02 +00:00
			`## General Resources`

			`- [Kubernetes Security and Disclosure Information](https://kubernetes.io/docs/reference/issues-security/security/)`
			`- [Kubernetes Security](https://kubernetes-security.info/)`
			`- [GKE Security Bulletins](https://cloud.google.com/kubernetes-engine/docs/security-bulletins)`
Add CKS resources repo - Add CKS resources repo - Add Controlplane/Andrew Martin twitter account 2020-10-27 13:47:04 +00:00			`- [CKS Certified Kubernetes Security Specialist resources repo](https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist)`
Kubernetes Security Checklist and Requirements 2021-10-14 14:50:38 +00:00			`- [Kubernetes Security Checklist and Requirements](https://github.com/Vinum-Security/kubernetes-security-checklist)`
Update README.md 2021-12-07 22:33:57 +00:00			`- [OWASP Kubernetes Security Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)`
Update README.md Added a link 2021-11-30 17:06:20 +00:00			`- [Securing Kubernetes Clusters](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)`
Added new article about Kubernetes Security best practices 2023-01-16 13:29:38 +00:00			`- [Kubernetes Security : 6 Best Practices for 4C Security Model](https://spacelift.io/blog/kubernetes-security)`
Updates 2020-01-24 17:25:02 +00:00
			`## Twitter Accounts`

Add CKS resources repo - Add CKS resources repo - Add Controlplane/Andrew Martin twitter account 2020-10-27 13:47:04 +00:00			`- [Andrew Martin](https://twitter.com/sublimino)`
Updates 2020-01-24 17:25:02 +00:00			`- [Ann N Wallace](https://twitter.com/annnwallace)`
			`- [Annabelle Bertucio](https://twitter.com/WhyHiAnnabelle)`
			`- [Brad Geessaman](https://twitter.com/bradgeesaman)`
			`- [Duffie Cooley](https://twitter.com/mauilion)`
			`- [Erik St. Martin](https://twitter.com/erikstmartin)`
			`- [Greg Castle](https://twitter.com/mrgcastle)`
			`- [Ian Coldwater](https://twitter.com/iancoldwater)`
			`- [Jimmy Mesta](https://twitter.com/jimmesta)`
			`- [Jordan Liggitt](https://twitter.com/liggitt)`
			`- [learnk8s](https://twitter.com/learnk8s)`
			`- [Liz Rice](https://twitter.com/lizrice)`
			`- [Mark Manning](https://twitter.com/antitree)`
			`- [Maya Kaczorowski](https://twitter.com/MayaKaczorowski)`
			`- [Michael Ducy](https://twitter.com/mfdii)`
			`- [Michael Hausenblas](https://twitter.com/mhausenblas)`
			`- [Peter Benjamin](https://twitter.com/petermbenjamin)`
			`- [Rory McCune](https://twitter.com/raesene)`
			`- [Tabitha Sable](https://twitter.com/TabbySable)`
			`- [Tim Allclair](https://twitter.com/tallclair)`
			`- [Timothy St. Clair](https://twitter.com/timothysc)`
Update README.md 2021-12-08 00:06:32 +00:00			`- [Sangam Biradar](https://github.com/sangam14)`