About this program
A short audit of your k8s cluster against the high-impact controls — RBAC, secrets, network policies, image trust.
Risks addressed
- Critical Overly-permissive cluster-admin bindings
- High Container running as root with hostPath mounts
- High Secrets stored in plain envs
Controls (7)
-
No wildcard cluster-admin bindings beyond ops team
CriticalNo wildcard cluster-admin bindings beyond ops team
How to test + evidence
Testing procedure: kubectl get clusterrolebindings — review subjects.
Evidence to collect: CRB export.
-
RBAC: least-privilege per namespace
HighRBAC: least-privilege per namespace
How to test + evidence
Testing procedure: Sample 3 namespaces; verify roles align with workload need.
Evidence to collect: Role / RoleBinding export.
-
Pod Security Standards: restricted
HighPod Security Standards: restricted
How to test + evidence
Testing procedure: Restricted PSS applied to user workload namespaces.
Evidence to collect: Namespace labels export.
-
NetworkPolicies in place
HighNetworkPolicies in place
How to test + evidence
Testing procedure: Default-deny NetworkPolicies + explicit allow rules per namespace.
Evidence to collect: NetworkPolicy export.
-
Secrets via external secret manager
HighSecrets via external secret manager
How to test + evidence
Testing procedure: External-Secrets / Vault / cloud-provider secret manager — not raw K8s Secrets in git.
Evidence to collect: Operator config.
-
Image provenance / signed images only
MediumImage provenance / signed images only
How to test + evidence
Testing procedure: Admission controller (Kyverno / cosign) blocks unsigned images.
Evidence to collect: Policy + sample violation log.
-
Audit logs enabled at apiserver
HighAudit logs enabled at apiserver
How to test + evidence
Testing procedure: --audit-policy-file configured; logs shipped externally.
Evidence to collect: apiserver flags + log destination.