Skip to main content
Glama
batu-sonmez

InfraClaude

by batu-sonmez
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

security_k8s_audit

Audit Kubernetes namespaces to identify security misconfigurations including privileged containers, missing resource limits, and RBAC issues for improved cluster security.

Instructions

Audit Kubernetes namespace for security misconfigurations (privileged containers, missing limits, RBAC issues)

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
namespaceNoKubernetes namespace to audit (default: 'default')

Implementation Reference

  • src/tools/security/k8s_audit.ts:11-131 (handler)
    The main handler function for the k8s security audit logic.
    export async function k8sSecurityAudit(args: Record<string, unknown>): Promise<string> {
  const api = getCoreV1Api();
  const namespace = (args.namespace as string) || "default";

  const findings: AuditFinding[] = [];

  // Get pods for security analysis
  const podsRes = await api.listNamespacedPod(namespace);
  const pods = podsRes.body.items;

  for (const pod of pods) {
    const podName = pod.metadata?.name || "unknown";

    for (const container of pod.spec?.containers || []) {
      const sc = container.securityContext || {};
      const podSc = pod.spec?.securityContext || {};

      // Check: Running as root
      if (sc.runAsNonRoot !== true && podSc.runAsNonRoot !== true) {
        findings.push({
          severity: "HIGH",
          category: "Pod Security",
          resource: `${podName}/${container.name}`,
          issue: "Container may run as root",
          recommendation: "Set securityContext.runAsNonRoot: true",
        });
      }

      // Check: Privileged container
      if (sc.privileged === true) {
        findings.push({
          severity: "CRITICAL",
          category: "Pod Security",
          resource: `${podName}/${container.name}`,
          issue: "Privileged container",
          recommendation: "Remove privileged: true unless absolutely necessary",
        });
      }

      // Check: Missing resource limits
      if (!container.resources?.limits) {
        findings.push({
          severity: "MEDIUM",
          category: "Resource Management",
          resource: `${podName}/${container.name}`,
          issue: "No resource limits set",
          recommendation: "Add CPU and memory limits",
        });
      }

      // Check: Read-only root filesystem
      if (sc.readOnlyRootFilesystem !== true) {
        findings.push({
          severity: "LOW",
          category: "Pod Security",
          resource: `${podName}/${container.name}`,
          issue: "Root filesystem is writable",
          recommendation: "Set readOnlyRootFilesystem: true",
        });
      }
    }

    // Check: Default service account
    if (!pod.spec?.serviceAccountName || pod.spec.serviceAccountName === "default") {
      findings.push({
        severity: "MEDIUM",
        category: "RBAC",
        resource: podName,
        issue: "Using default service account",
        recommendation: "Create a dedicated service account with minimal permissions",
      });
    }
  }

  // Check: Network policies
  try {
    const npRes = await (api as any).listNamespacedNetworkPolicy?.(namespace) ||
      { body: { items: [] } };
    if (npRes.body.items.length === 0) {
      findings.push({
        severity: "HIGH",
        category: "Network Security",
        resource: `namespace/${namespace}`,
        issue: "No NetworkPolicies defined",
        recommendation: "Create NetworkPolicies to restrict pod-to-pod communication",
      });
    }
  } catch {
    // NetworkPolicy API might not be available
  }

  // Format report
  if (findings.length === 0) {
    return `Security audit for namespace '${namespace}': No issues found.`;
  }

  const bySeverity = {
    CRITICAL: findings.filter((f) => f.severity === "CRITICAL"),
    HIGH: findings.filter((f) => f.severity === "HIGH"),
    MEDIUM: findings.filter((f) => f.severity === "MEDIUM"),
    LOW: findings.filter((f) => f.severity === "LOW"),
  };

  const lines = [
    `Security audit for namespace '${namespace}':`,
    `Total findings: ${findings.length} (${bySeverity.CRITICAL.length} critical, ${bySeverity.HIGH.length} high, ${bySeverity.MEDIUM.length} medium, ${bySeverity.LOW.length} low)`,
    "",
  ];

  for (const [severity, items] of Object.entries(bySeverity)) {
    if (items.length === 0) continue;
    lines.push(`--- ${severity} ---`);
    for (const f of items) {
      lines.push(`  [${f.category}] ${f.resource}: ${f.issue}`);
      lines.push(`    Fix: ${f.recommendation}`);
    }
    lines.push("");
  }

  return lines.join("\n");
}
  • src/tools/security/index.ts:29-39 (registration)
    Tool registration and input schema definition for security_k8s_audit.
      {
    name: "security_k8s_audit",
    description: "Audit Kubernetes namespace for security misconfigurations (privileged containers, missing limits, RBAC issues)",
    inputSchema: {
      type: "object" as const,
      properties: {
        namespace: { type: "string", description: "Kubernetes namespace to audit (default: 'default')" },
      },
    },
  },
];
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/batu-sonmez/infraclaude'

If you have feedback or need assistance with the MCP directory API, please join our Discord server