Security check

Kubernetes security: find the misconfiguration before the attacker

Most Kubernetes breaches start in a misconfiguration, not a zero-day. We check your manifests and cluster against hardening best practice and prioritise what actually opens a way in.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” operational security ISO 27001 Β· A.8.9 configuration management CIS Β· Controls v8

What we check

We review your Kubernetes manifests (and optionally the running cluster) against Kubernetes hardening best practice (mapped to CIS Controls): privileged containers, running as root, missing resource limits, overly broad RBAC roles, exposed Secrets and missing network policies. Note: these are targeted hardening checks, not a full CIS Kubernetes Benchmark / kube-bench run.

Why it matters

A privileged pod or an over-broad RBAC role turns a small breach into full cluster compromise. Configuration management is a core control in ISO 27001 and NIS2 β€” and Kubernetes defaults are rarely secure.

How Security Guru tests it

Common mistakes

  • Containers running as root with no security context
  • RBAC roles with * on verbs/resources
  • No NetworkPolicies β†’ flat internal traffic
  • Secrets as plaintext environment variables in the manifests

What you get in the report

  • Misconfigurations ranked by how much they open
  • RBAC roles that grant more than they need
  • Concrete manifest changes per finding
  • Mapping to CIS Controls v8 / ISO A.8.9

FAQ

Do you need cluster access?

Manifest review only needs your YAML files. Live cluster review needs a read role and can run self-hosted.

Does it cover managed Kubernetes (EKS/GKE/AKS)?

Yes β€” the checks apply to manifests and RBAC regardless of where the cluster runs.

Do you change anything in the cluster?

No. The review is read-only; we propose changes, you apply them.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan