English | 简体中文

Kube Audit Kit

Kube Audit Kit is a Claude Code Skill for non-intrusive security audits of Kubernetes clusters.

Kube Audit Kit exports all resources in a specified Context/Namespace, deeply sanitizes them, groups applications intelligently, and generates a comprehensive security audit report based on the following industry standards:

• Pod Security Standards (PSS)
• NSA Kubernetes Guidelines
• CIS Kubernetes Benchmark

---

Features

• Non-intrusive: Only get/list operations, no changes to cluster state
• Full coverage: Dynamically discovers all namespaced resource types, with a small exclude list for low-value resources (e.g., events, bindings)
• Smart grouping: Associates application resources based on workload topology
• Dual audit: Scripted static scan + AI expert deep analysis
• Type safety: Full Python type annotations
• Nice output: Rich-powered colored console output

Security Coverage

🛡️ Pod Security (Based on PSS/NSA)

Based on Pod Security Standards and NSA Kubernetes Guidelines

Check Item	Description
Privileged Mode	Detect privileged: true
Host Namespaces	Detect hostNetwork, hostPID, hostIPC
Capabilities	Detect dangerous capabilities add/drop
Security Context	Detect runAsNonRoot, readOnlyRootFilesystem
Resource Limits	Detect CPU/memory requests and limits
Health Checks	Detect liveness/readiness/startup probes
Image Safety	Detect :latest tag usage

🔐 RBAC Audit

Based on CIS Kubernetes Benchmark and Kubernetes RBAC

Check Item	Description
Wildcards	Detect * in verbs/resources/apiGroups
High Privilege	Detect cluster-admin/admin/edit/view roles
Over-privilege	Analyze Role/ClusterRole rule scope

🌐 Network Security Audit

Based on NSA Network Policy Guidelines and CIS NetworkPolicy

Check Item	Description
NetworkPolicy	Detect namespace network policy protection
Service Exposure	Detect LoadBalancer/NodePort/externalIPs
Ingress Config	Detect TLS configuration and exposed hosts

💾 HostPath Mount Detection

Based on CIS Kubernetes Benchmark 5.2.3 and NSA Guidelines Section 3.3

Check Item	Description
hostPath	Detect host path mounts
Dangerous Path	Identify docker.sock, /etc, /root, etc.
Risk Levels	Rate by Critical/Warning

🛡️ Security Policy Checks

Based on Kubernetes seccomp and AppArmor Documentation

Check Item	Description
seccomp	Detect seccompProfile configuration
AppArmor	Detect AppArmor annotation settings

🔄 High Availability Configuration

Based on Kubernetes PodDisruptionBudget and CIS Benchmark 5.2.9

Check Item	Description
PodDisruptionBudget	Detect PDB configuration
Secret Type	Detect whether Secret type is appropriate
ServiceAccount	Detect automountServiceAccountToken

🔍 Sensitive Data Scan

Based on NSA Guidelines Section 4.2 and CIS Benchmark Secret Management

Check Item	Description
ConfigMap Scan	Detect sensitive keywords and high entropy strings
Secret Analysis	Detect non-sensitive data stored in Secret
Usage Distinction	Distinguish Volume mounts vs EnvVar refs

---

Installation

Option 1: Install as a Personal Skill (Recommended)

Install the skill to your personal directory so it is available in all projects:

git clone https://github.com/crazygit/kube-audit-kit.git ~/.claude/skills/kube-audit-kit

Option 2: Install as a Project Skill

Install the skill in a specific project so it is only available there:

git clone https://github.com/crazygit/kube-audit-kit.git .claude/skills/kube-audit-kit

After Installation

Verify the skill is loaded using either method:

Option 1: Use /skills

/skills

Option 2: Ask Claude

What Skills are available?

If kube-audit-kit appears in the list, the skill is loaded.

Note: The latest Claude Code client supports auto hot-reload, so restart is usually unnecessary. If the skill is missing, try restarting Claude Code.

---

Usage

A restart is usually unnecessary after installation. If it does not take effect, restart Claude Code.

Trigger the Skill

Based on SKILL.md, you can trigger the skill with prompts like:

"Audit production prod-cluster namespace backend"
"Check payment service in staging cluster staging-cluster"
"Analyze all apps in dev cluster dev-cluster"

Or use more general phrasing:

"Please audit the my-namespace namespace in my-context"
"Help me audit cluster-1"

Claude will detect your intent, use the kube-audit-kit skill, and ask for Context and Namespace.

Full Workflow

The skill executes the following steps:

1. Export resources - Use kubectl get/list to export all resource types
2. Sanitize resources - Remove status fields and noisy metadata
3. Group apps - Associate resources based on workload topology
4. Security audit - Static analysis + AI deep analysis to generate reports

Requirements

Component	Version Requirement
Python	>= 3.14
kubectl	Any version (configured cluster)
uv	Latest (dependency management)

Run Scripts Manually

If you want to run scripts without the skill:

# Install dependencies
uv sync

# Run the audit pipeline
CTX=your-context
NS=your-namespace

uv run python scripts/export.py --context $CTX --namespace $NS
uv run python scripts/sanitize.py --context $CTX --namespace $NS
uv run python scripts/group_apps.py --context $CTX --namespace $NS
uv run python scripts/audit.py --context $CTX --namespace $NS

---

Security Recommendations

🔐 Use a Dedicated Audit Account

Create a dedicated service account with strict RBAC controls. If you are concerned about exposing Secret data during the audit, you can omit Secret permissions; other checks will still work normally.

An example audit service account is provided:

# View example configuration
cat examples/audit-service-account.yaml

# Apply to target namespace (edit Namespace first)
kubectl apply -f examples/audit-service-account.yaml

# Get an audit token (valid for 1 hour)
kubectl -n <namespace> create token audit-service-account --duration=1h

# Configure kubeconfig for the audit context
kubectl config set-credentials audit-service-account --token=<token>
kubectl config set-context audit-context \
  --cluster=<your-cluster> \
  --user=audit-service-account \
  --namespace=<target-namespace>

Permission Notes:

Permission	Required	Description
Pod/Deployment/Workload	✅ Yes	Workload security checks
ConfigMap	✅ Yes	Sensitive data scan
Service/Ingress/NetworkPolicy	✅ Yes	Network security audit
RBAC Resources	✅ Yes	RBAC permission audit
Secret	⚪ Optional	If not granted, Secret checks are skipped

Impact without Secret permissions:

• ❌ Secret type checks unavailable
• ❌ Cannot detect non-sensitive data stored in Secret
• ✅ All other checks still work (Pod Security, RBAC, network, hostPath, etc.)

Security Best Practices:

• ✅ Least privilege - grant only what is needed for auditing
• ✅ Secret optional - decide based on