Security Audit
Overview
Krust includes a built-in security audit engine that scans your cluster resources against common best-practice checks. Results are presented in a single view with severity levels and actionable recommendations.
How to Use
Navigate to the Security Audit tab in the sidebar. Krust runs all checks automatically against the current cluster context. Findings are grouped by category and can be filtered by severity.
Check Categories
Pod Security
Checks related to pod-level security configuration.
| Check | Severity | Description |
|---|---|---|
| Privileged containers | Critical | Containers running with privileged: true |
| Host PID / Network / IPC | Critical | Pods sharing host namespaces |
| Run as root | High | Containers running as UID 0 or without runAsNonRoot: true |
| Read-only root filesystem | Medium | Containers without readOnlyRootFilesystem: true |
| Privilege escalation | High | Containers without allowPrivilegeEscalation: false |
| Capability drops | Medium | Containers that do not drop ALL capabilities |
Image Security
Checks related to container image hygiene.
| Check | Severity | Description |
|---|---|---|
| Latest tag | High | Images using the :latest tag or no tag at all |
| Image pull policy | Medium | Containers without imagePullPolicy: Always when using mutable tags |
| No digest pinning | Low | Images not pinned to a specific digest (@sha256:...) |
Resource Limits
Checks for missing or misconfigured resource requests and limits.
| Check | Severity | Description |
|---|---|---|
| Missing CPU requests | Medium | Containers without CPU resource requests |
| Missing memory requests | Medium | Containers without memory resource requests |
| Missing CPU limits | Medium | Containers without CPU resource limits |
| Missing memory limits | High | Containers without memory limits risk OOM-killing other workloads |
Node Health
Checks related to node-level conditions and configuration.
| Check | Severity | Description |
|---|---|---|
| Not Ready nodes | Critical | Nodes in NotReady condition |
| Disk pressure | High | Nodes reporting DiskPressure condition |
| Memory pressure | High | Nodes reporting MemoryPressure condition |
| PID pressure | Medium | Nodes reporting PIDPressure condition |
| Unschedulable | Medium | Nodes cordoned or marked unschedulable |
RBAC Permissions
Checks for overly broad RBAC policies.
| Check | Severity | Description |
|---|---|---|
| Wildcard verbs | Critical | Roles or ClusterRoles granting * verbs |
| Wildcard resources | Critical | Roles or ClusterRoles granting access to * resources |
| Secrets access | High | Roles granting get, list, or watch on secrets |
| Cluster-admin binding | Critical | ClusterRoleBindings referencing the cluster-admin role |
Service Account
Checks related to service account configuration.
| Check | Severity | Description |
|---|---|---|
| Default service account | Medium | Pods using the default service account |
| Auto-mounted token | Medium | Service accounts with automountServiceAccountToken: true when not needed |
Severity Levels
| Level | Meaning |
|---|---|
| Critical | Immediate security risk that should be addressed urgently |
| High | Significant security concern that could lead to exploitation |
| Medium | Best-practice violation that weakens security posture |
| Low | Minor improvement opportunity for defense in depth |