Scan Kubernetes Clusters for misconfigurations
Scanning Kubernetes cluster for misconfigurations is essential to enhance security and optimize performance. It helps proactively identify vulnerabilities and ensure proper resource allocation, minimizing risks and ensuring efficient cluster operations.
nctl, scan any Kubernetes clusters without deploying anything on the cluster. Just point the kubeconfig file and it will scan the cluster and generate a full fledged scan report.
The sections below details the various options of the scan command.
Scan cluster for best practices
The cluster scanned with this command is the cluster referenced by the default kubeconfig file located at
~/.kube/config. If the
kubeconfig is in a different location, use the
--kubeconfig file to point to that location. And for the policies, by default,
nctl refer to the following three Nirmata curated policysets -
Once the scan is complete, it provides a summary report on the policy status for different resources in the cluster grouped by Policy Category and also by namespaces. To view detailed reports, use the
Scan specific namespaces
nctl scan --namespace <comma-separated-list>
To scan for only specific namespaces in the cluster, use the
--namespace flag to provide a list of comma separated namespaces.
Scan cluster using custom policies
nctl scan --policies /path/to/policies nctl scan --policies https://github.com/repo/containing/policies
To scan against custom policies, use the
--policies flag to point to the directory containing policies, or to a GitHub repo containing the policies.
Scan specific resource files
nctl scan --resource /path/to/resource/files
To scan specific resource files instead of all resources in a cluster, use the
--resource argument to point to a directory containing the resource files. When combined with the
--policies flag, this command can be used in a CI pipeline to check for misconfigurations in Kubernetes manifests.
The scan command supports the following output formats (use the
- pretty-print: to display tabular result on the console
- json: render the result as a JSON output
- yaml: render the result as a YAML output