What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

9 min read·1,611 words

Kubernetes Security Tools

Last reviewed: April 27, 2026 — verified against Kubernetes 1.36.

Securing Kubernetes requires more than just applying best practices—it also involves using specialized tools to detect misconfigurations, prevent supply chain risks, monitor runtime behavior, and audit compliance. This section is the head reference for the open-source tools cited across the rest of the site, organised by the problem each one solves.

The list below includes tools for vulnerability scanning, access control, runtime security, configuration auditing, and more. These tools are referenced throughout this site and can be integrated into CI/CD pipelines or deployed in production clusters to enhance visibility and reduce risk.

CKS Exam Preparation

If you're preparing for the Certified Kubernetes Security Specialist (CKS) exam, many of these tools are either required or highly recommended. CKS-required tools are clearly marked.

Picking a Tool by Problem

Most teams over-buy tooling. The table below maps the common Kubernetes security problems to the smallest set of tools that solves each one. Start here, then drill into the per-tool articles below for usage details.

Problem	Default Open-Source Tool	When to Pick a Different Tool
Image vulnerability scan in CI	Trivy	Grype when SBOM-first or Anchore-aligned
Continuous in-cluster image scanning	Trivy Operator	Cloud-native scanner from your registry vendor
SBOM generation	Syft	Trivy for one-tool pipelines
Image signing	Cosign	Notation for X.509 PKI / Notary v2
Manifest linting in CI	Kube-Linter	Kube-Score for terser output
Cluster-wide posture / benchmark	Kubescape	Vendor scanner if you have one already
CIS benchmark	kube-bench	None — kube-bench is the canonical implementation
Runtime detection	Falco	Tetragon for in-kernel enforcement; Tracee for forensics
Admission policy	Kyverno	OPA Gatekeeper for multi-platform Rego
Network policy / CNI	Cilium	Calico for mature ops, mixed bare-metal
Secret encryption in Git	Mozilla SOPS	Sealed Secrets for single-cluster GitOps
RBAC audit	audit2rbac	rakkess for ad-hoc access matrix
Pen-test / adversary emulation	kdigger	red-kube for ATT&CK-mapped scenarios

For a deeper engine-level breakdown of the most common comparisons (Falco vs Tetragon, Kyverno vs OPA Gatekeeper, Trivy vs Grype), see the head-term Kubernetes Security Best Practices page.

Click on any tool name below to access a detailed article explaining its purpose, usage, configuration tips, and integration examples.

Static Analysis and Image Scanning

Analyze container images and configuration files to detect vulnerabilities and insecure defaults.

Trivy

CKS-required. A fast and comprehensive vulnerability scanner for container images, Kubernetes manifests, IaC, and source code.

Grype

CKS-required. A reliable container vulnerability scanner that consumes SBOMs and integrates with CI pipelines.

Syft

CKS-required. Generates Software Bill of Materials (SBOMs) from container images and directories, enabling transparency and traceability.

Kube-Score

Performs static analysis of Kubernetes manifests and highlights common security anti-patterns.

Kube-Linter

CKS-required. Scans Kubernetes YAML files to detect misconfigurations like missing resource limits and insecure security contexts.

Kubescape

An end-to-end security scanning tool that validates clusters against industry benchmarks such as NSA-CISA and MITRE.

Polaris

Validates Kubernetes resources and live clusters against best practices for stability and security.

Checkov

A static code analyzer for IaC tools like Terraform and Kubernetes, highlighting misconfigurations before deployment.

Conftest

Leverages OPA to validate configuration files such as Kubernetes manifests in CI workflows.

Terrascan

A static analysis tool that scans IaC for security violations and enforces policy compliance.

Runtime Security and Threat Detection

Monitor live cluster activity to detect and respond to suspicious behavior.

Falco

CKS-required. A powerful runtime security tool that detects abnormal system call activity inside containers.

Tetragon

An eBPF-based runtime observability and enforcement tool for detecting malicious behavior in real time.

Tracee

CKS-required. Uses eBPF to trace Linux system calls and detect runtime threats, offering deep forensics and custom event tracking.

Configuration Auditing and Compliance

Audit live clusters and YAML specs to detect insecure configurations.

Kube-Hunter

Actively probes clusters to find security issues from an attacker's perspective.

KubeAudit

A command-line tool that audits your cluster for misconfigured pods, RBAC issues, and privilege escalations.

Secrets Management

Tools to encrypt, store, and control access to secrets in a GitOps-friendly and secure manner.

Sealed Secrets

Encrypts Kubernetes Secrets so they can be safely stored in version control. Uses a controller to decrypt inside the cluster.

Mozilla SOPS

An encryption tool for managing secrets in structured formats using KMS, PGP, or cloud-native keys.

Supply Chain Security and SBOM

Protect your build pipeline and ensure integrity of deployed artifacts.

Cosign

CKS-required. Signs and verifies container images using keyless or key-based cryptographic signatures.

Notation

An OCI-compliant tool for image signing and verification, supporting Notary v2 standards.

Policy Enforcement and Admission Control

Enforce security policies and prevent risky resources from being deployed.

OPA (Gatekeeper)

CKS-required. Policy-as-code engine used for enforcing constraints during resource admission.

Kyverno

Kubernetes-native policy engine that validates, mutates, and generates resources using declarative YAML policies.

Network Security and Traffic Control

Protect inter-pod traffic, ingress/egress flows, and enable deep observability.

Cilium

CKS-required. eBPF-based CNI plugin that enables L3-L7 security, visibility, and observability in Kubernetes.

Calico

CKS-required. A widely used CNI that enforces network policy and segmentation for Kubernetes workloads.

Kong

An API gateway for Kubernetes that provides advanced traffic routing, authentication, and rate limiting.

Observability and Forensics

Tools for deep inspection of node and container behavior during live debugging or post-incident investigation.

kubectl-snoop

Collects low-level syscall traces and performance data for on-node container introspection.

kubectl-trace

Run BPFTrace programs inside your Kubernetes cluster to trace detailed system behavior.

kubectl-dig

Provides deep visibility into Kubernetes cluster activity using eBPF-based tracing for real-time system call and network analysis.

Deepfence ThreatMapper

Runtime vulnerability scanner and threat detection platform that discovers threats across Kubernetes clusters, VMs, and containers.

Penetration Testing and Adversary Emulation

Tools for security assessments, red team exercises, and testing Kubernetes defenses from an attacker's perspective.

CDK (Container Penetration Toolkit)

Zero-dependency container penetration toolkit for assessing container security and discovering escape vectors.

kdigger

Kubernetes-focused container assessment and context discovery tool for understanding the security environment during penetration tests.

red-kube

Kubernetes adversary emulation framework based on kubectl, providing attack simulations aligned with MITRE ATT&CK tactics.

RBAC Analysis and Auditing

Tools for analyzing, visualizing, and auditing Kubernetes RBAC configurations.

kubectl-who-can

Shows which subjects have RBAC permissions to perform specific actions on Kubernetes resources.

rakkess

Displays an access matrix showing which resources a user, group, or service account can access.

rback

Generates visual diagrams of Kubernetes RBAC configurations for security reviews and documentation.

kubectl-bindrole

Finds all roles and cluster roles bound to a specified ServiceAccount, User, or Group.

audit2rbac

Automatically generates RBAC policies from Kubernetes audit logs for least-privilege configurations.

kubernetes-rbac-audit

Security auditing tool that analyzes RBAC configurations to identify risky permissions and misconfigurations.

Cloud IAM Integration

Tools for integrating Kubernetes pods with cloud provider identity systems.

kube2iam

Enables Kubernetes pods to assume AWS IAM roles for fine-grained AWS credential management.

kiam

Provides AWS IAM credentials to pods using a secure client-server architecture.

aad-pod-identity

Enables Kubernetes pods on Azure to use Azure Active Directory managed identities.

Extended Secrets Management

Kubernetes External Secrets

Synchronizes secrets from external providers like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault into Kubernetes.

Vault Secrets Operator

HashiCorp's official Kubernetes operator for synchronizing secrets from Vault into Kubernetes Secrets.

Supply Chain and Inventory

KBOM

Kubernetes Bill of Materials toolkit that generates comprehensive inventories of cluster components, images, and configurations.

Kubei

Kubernetes runtime vulnerability scanner that identifies CVEs in container images across your cluster.

Trivy Operator

Kubernetes-native security scanning operator that automatically scans workloads for vulnerabilities, misconfigurations, and secrets.

Additional Configuration Validation

cnspec

Cloud-native security scanner from Mondoo that assesses Kubernetes clusters against security policies and compliance frameworks.

kube-scan

Kubernetes risk assessment tool that calculates risk scores for workloads based on security configurations.

kubectl-kubesec

kubectl plugin that scans Kubernetes resources using kubesec.io to identify security risks.

Steampipe for Kubernetes

SQL-based querying of Kubernetes resources and compliance scanning using CIS and NSA/CISA benchmarks.

kube-psp-advisor

Generates Pod Security Policies and Standards recommendations based on actual workload requirements.

Network Testing

netchecks

Validates network connectivity assumptions and verifies that network policies work as expected using declarative tests.

CI/CD and GitOps Security

Enforce policies and scan configurations early in the development lifecycle.

Conftest

Validates Helm charts, Terraform, or Kubernetes YAML using OPA before deployment.

Terrascan

Scans IaC to prevent misconfigurations from reaching production environments.

Try It: Live YAML Security Analyzer

Several of the tools above lint Kubernetes manifests in CI. The widget below runs an equivalent set of checks (privileged containers, host mounts, automounted SA tokens, missing securityContext, and more) directly in the browser.

Open the full YAML Analyzer →

Version-Specific Notes (Kubernetes 1.36)

Tooling expectations track Kubernetes itself. The following are the current defaults to assume when picking or configuring a security tool:

Pod Security Admission — GA since 1.25. Manifest-linting tools (Kube-Linter, Kubescape, Polaris) should validate against PSA restricted rather than the removed PSP API.
Validating Admission Policy — GA since 1.30. CEL policies live in the API server; some checks that previously required Kyverno or Gatekeeper can now run in-tree.
KMS v2 encryption providers — GA since 1.29. SOPS / Sealed Secrets / external secret stores remain useful, but cluster-side at-rest encryption no longer demands an add-on.
Kubelet credential provider plugins — Stable. Tools that previously injected imagePullSecrets should switch to plugin-based credentials at pull time.
Sigstore Policy Controller / Kyverno verifyImages — Stable. Image-signature admission verification is mature; pair Cosign / Notation with admission policy on every cluster.

Always check the Kubernetes deprecation guide before upgrading.

Conclusion

Using the right tools is crucial for securing Kubernetes across its entire lifecycle—from development and CI/CD to deployment and runtime. The "Picking a Tool by Problem" table near the top of this page is the fastest path to a defensible default; the per-tool articles below explain how to configure each one securely and integrate it with the practices discussed elsewhere on the site.

CKS Candidates

It is essential to become familiar with the tools marked as CKS-required. These tools appear frequently in exam scenarios and real-world production environments alike.

Want to learn more?Check out our recommended books on Kubernetes security.

Picking a Tool by Problem​

Static Analysis and Image Scanning​

Runtime Security and Threat Detection​

Configuration Auditing and Compliance​

Secrets Management​

Supply Chain Security and SBOM​

Policy Enforcement and Admission Control​

Network Security and Traffic Control​

Observability and Forensics​

Penetration Testing and Adversary Emulation​

RBAC Analysis and Auditing​

Cloud IAM Integration​

Extended Secrets Management​

Supply Chain and Inventory​

Additional Configuration Validation​

Network Testing​

CI/CD and GitOps Security​

Try It: Live YAML Security Analyzer​

Version-Specific Notes (Kubernetes 1.36)​

Conclusion​