Phy K8s Security Audit — 物理K8s安全审计
v1.9Kubernetes 清单安全审计员(CIS Kubernetes Benchmark)。扫描仓库中的所有 YAML/JSON 清单,检查是否存在特权容器、hostNetwork/hostPID/hostIPC、危险的 hostPath 挂载、缺少资源限制/探测、最新的镜像标签、RBAC 过度权限(cluster-admin 绑定、通配符动词)、环境变量中的密钥、缺少 NetworkPolicy、缺少 seccomp/AppArmor 配置文件。将发现结果映射到 CIS Benchmark 控制和 PSS(Pod 安全标准)。仅依赖 PyYAML,无其他依赖项。在 ClawHub 上无竞争对手。
by 运行时依赖
安装命令
点击复制技能文档
phy-k8s-security-audit Kubernetes YAML CIS Kubernetes Benchmark v1.9 Pod Security Standards (PSS) Deployment, StatefulSet, DaemonSet, Pod, Job, CronJob, Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, NetworkPolicy GitHub API CLI Kubernetes phy-k8s-security-audit CIS Kubernetes Benchmark PSS Kubernetes Tesla Kubernetes cryptojacked RBAC cluster-admin automountServiceAccountToken Pod Container CIS PSS check Severity CIS PSS privileged: true CRITICAL CIS 5.2.1 PSS allowPrivilegeEscalation: true HIGH CIS 5.2.5 PSS runAsNonRoot HIGH CIS 5.2.6 PSS runAsUser: 0 HIGH CIS 5.2.6 hostNetwork: true HIGH CIS 5.2.4 PSS hostPID: true HIGH CIS 5.2.2 PSS hostIPC: true HIGH CIS 5.2.3 PSS hostPath HIGH CIS 5.2.11 capabilities.add CRITICAL CIS 5.2.8 capabilities.drop: [ALL] MEDIUM CIS 5.2.7 PSS resource requests and limits MEDIUM CIS 5.2.13 image: :latest MEDIUM imagePullPolicy: Never MEDIUM readinessProbe LOW livenessProbe LOW Secrets HIGH CIS 5.4.1 seccompProfile MEDIUM CIS 5.7.2 PSS securityContext MEDIUM CIS 5.7.1 readOnlyRootFilesystem: false MEDIUM PSS RBAC ClusterRoleBinding CRITICAL CIS 5.1.1 Role/ClusterRole HIGH CIS 5.1.3 Role HIGH CIS 5.1.2 ServiceAccount MEDIUM CIS 5.1.5 NetworkPolicy HIGH CIS 5.3.2 NetworkPolicy MEDIUM Service LOW CIS 5.4.2 PSS Profile Privileged Baseline Restricted phy-k8s-security-audit CIS Kubernetes Benchmark python3 audit_k8s.py #!/usr/bin/env python3 phy-k8s-security-audit CIS Kubernetes Benchmark Usage: python3 audit_k8s.py [path] [--json] [--ci] [--min-severity HIGH] pip install pyyaml import argparse import json import os import re import sys from dataclasses import dataclass, field from pathlib import Path from typing import Any, Optional try: import yaml HAS_YAML = True except ImportError: HAS_YAML = False print("Warning: PyYAML not found. Install with: pip install pyyaml", file=sys.stderr) sys.exit(1) CRITICAL, HIGH, MEDIUM, LOW = "CRITICAL", "HIGH", "MEDIUM", "LOW" SEV_ORDER = {CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3} ICONS = {CRITICAL: "", HIGH: "", MEDIUM: "", LOW: ""} DANGEROUS_CAPS = { "SYS_ADMIN", "NET_ADMIN", "SYS_PTRACE", "SYS_MODULE", "SYS_RAWIO", "ALL", "SYSLOG", "DAC_READ_SEARCH", "LINUX_IMMUTABLE", "NET_BROADCAST", "IPC_LOCK", "WAKE_ALARM", "BLOCK_SUSPEND", } SENSITIVE_RBAC_VERBS = {"", "create", "delete", "deletecollection", "patch", "update"} SECRET_VERBS = {"get", "list", "watch", "*"} @dataclass class Finding: file: str resource_kind: str resource_name: str check_id: str severity: str title: str detail: str remediation: str cis_ref: Optional[str] = None pss_profile: Optional[str] = None def get_name(obj: dict) -> str: return obj.get("metadata", {}).get("name", "") def get_namespace(obj: dict) -> str: return obj.get("metadata", {}).get("namespace", "default") def check_container_security( container: dict, file: str, kind: str, resource_name: str, is_init: bool = False, ) -> list[Finding]: findings = [] sc = container.get("securityContext", {}) cname = container.get("name", "") label = f"{resource_name}/{cname}" + (" (init)" if is_init else "") def add(check: Finding): findings.append(check) # ...