SkillAgentSearch skills...

Kube Audit Kit

A Claude Code Skill for non-intrusive security audits of Kubernetes clusters.

GenerateConvertImprove

Install / Use

/learn @crazygit/Kube Audit Kit
About this skill

Quality Score

0/100

Supported Platforms

Claude Code
Claude Desktop

README

English | 简体中文

Kube Audit Kit

Kube Audit Kit is a Claude Code Skill for non-intrusive security audits of Kubernetes clusters.

Kube Audit Kit exports all resources in a specified Context/Namespace, deeply sanitizes them, groups applications intelligently, and generates a comprehensive security audit report based on the following industry standards:

Features

  • Non-intrusive: Only get/list operations, no changes to cluster state
  • Full coverage: Dynamically discovers all namespaced resource types, with a small exclude list for low-value resources (e.g., events, bindings)
  • Smart grouping: Associates application resources based on workload topology
  • Dual audit: Scripted static scan + AI expert deep analysis
  • Type safety: Full Python type annotations
  • Nice output: Rich-powered colored console output

Security Coverage

🛡️ Pod Security (Based on PSS/NSA)

Based on Pod Security Standards and NSA Kubernetes Guidelines

| Check Item | Description | | :---------------- | :-------------------------------------------- | | Privileged Mode | Detect privileged: true | | Host Namespaces | Detect hostNetwork, hostPID, hostIPC | | Capabilities | Detect dangerous capabilities add/drop | | Security Context | Detect runAsNonRoot, readOnlyRootFilesystem | | Resource Limits | Detect CPU/memory requests and limits | | Health Checks | Detect liveness/readiness/startup probes | | Image Safety | Detect :latest tag usage |

🔐 RBAC Audit

Based on CIS Kubernetes Benchmark and Kubernetes RBAC

| Check Item | Description | | :------------- | :----------------------------------------- | | Wildcards | Detect * in verbs/resources/apiGroups | | High Privilege | Detect cluster-admin/admin/edit/view roles | | Over-privilege | Analyze Role/ClusterRole rule scope |

🌐 Network Security Audit

Based on NSA Network Policy Guidelines and CIS NetworkPolicy

| Check Item | Description | | :--------------- | :------------------------------------------ | | NetworkPolicy | Detect namespace network policy protection | | Service Exposure | Detect LoadBalancer/NodePort/externalIPs | | Ingress Config | Detect TLS configuration and exposed hosts |

💾 HostPath Mount Detection

Based on CIS Kubernetes Benchmark 5.2.3 and NSA Guidelines Section 3.3

| Check Item | Description | | :------------ | :-------------------------------------------------- | | hostPath | Detect host path mounts | | Dangerous Path| Identify docker.sock, /etc, /root, etc. | | Risk Levels | Rate by Critical/Warning |

🛡️ Security Policy Checks

Based on Kubernetes seccomp and AppArmor Documentation

| Check Item | Description | | :-------- | :----------------------------------- | | seccomp | Detect seccompProfile configuration | | AppArmor | Detect AppArmor annotation settings |

🔄 High Availability Configuration

Based on Kubernetes PodDisruptionBudget and CIS Benchmark 5.2.9

| Check Item | Description | | :------------------- | :---------------------------------------- | | PodDisruptionBudget | Detect PDB configuration | | Secret Type | Detect whether Secret type is appropriate | | ServiceAccount | Detect automountServiceAccountToken |

🔍 Sensitive Data Scan

Based on NSA Guidelines Section 4.2 and CIS Benchmark Secret Management

| Check Item | Description | | :---------------- | :---------------------------------------- | | ConfigMap Scan | Detect sensitive keywords and high entropy strings | | Secret Analysis | Detect non-sensitive data stored in Secret | | Usage Distinction | Distinguish Volume mounts vs EnvVar refs |

Installation

Option 1: Install as a Personal Skill (Recommended)

Install the skill to your personal directory so it is available in all projects:

git clone https://github.com/crazygit/kube-audit-kit.git ~/.claude/skills/kube-audit-kit

Option 2: Install as a Project Skill

Install the skill in a specific project so it is only available there:

git clone https://github.com/crazygit/kube-audit-kit.git .claude/skills/kube-audit-kit

After Installation

Verify the skill is loaded using either method:

Option 1: Use /skills

/skills

Option 2: Ask Claude

What Skills are available?

If kube-audit-kit appears in the list, the skill is loaded.

Note: The latest Claude Code client supports auto hot-reload, so restart is usually unnecessary. If the skill is missing, try restarting Claude Code.

Usage

A restart is usually unnecessary after installation. If it does not take effect, restart Claude Code.

Trigger the Skill

Based on SKILL.md, you can trigger the skill with prompts like:

"Audit production prod-cluster namespace backend"
"Check payment service in staging cluster staging-cluster"
"Analyze all apps in dev cluster dev-cluster"

Or use more general phrasing:

"Please audit the my-namespace namespace in my-context"
"Help me audit cluster-1"

Claude will detect your intent, use the kube-audit-kit skill, and ask for Context and Namespace.

Full Workflow

The skill executes the following steps:

  1. Export resources - Use kubectl get/list to export all resource types
  2. Sanitize resources - Remove status fields and noisy metadata
  3. Group apps - Associate resources based on workload topology
  4. Security audit - Static analysis + AI deep analysis to generate reports

Requirements

| Component | Version Requirement | | :-------- | :--------------------------- | | Python | >= 3.14 | | kubectl | Any version (configured cluster) | | uv | Latest (dependency management) |

Run Scripts Manually

If you want to run scripts without the skill:

# Install dependencies
uv sync

# Run the audit pipeline
CTX=your-context
NS=your-namespace

uv run python scripts/export.py --context $CTX --namespace $NS
uv run python scripts/sanitize.py --context $CTX --namespace $NS
uv run python scripts/group_apps.py --context $CTX --namespace $NS
uv run python scripts/audit.py --context $CTX --namespace $NS

Security Recommendations

🔐 Use a Dedicated Audit Account

Create a dedicated service account with strict RBAC controls. If you are concerned about exposing Secret data during the audit, you can omit Secret permissions; other checks will still work normally.

An example audit service account is provided:

# View example configuration
cat examples/audit-service-account.yaml

# Apply to target namespace (edit Namespace first)
kubectl apply -f examples/audit-service-account.yaml

# Get an audit token (valid for 1 hour)
kubectl -n <namespace> create token audit-service-account --duration=1h

# Configure kubeconfig for the audit context
kubectl config set-credentials audit-service-account --token=<token>
kubectl config set-context audit-context \
  --cluster=<your-cluster> \
  --user=audit-service-account \
  --namespace=<target-namespace>

Permission Notes:

| Permission | Required | Description | | :----------------------------- | :------- | :------------------------------- | | Pod/Deployment/Workload | ✅ Yes | Workload security checks | | ConfigMap | ✅ Yes | Sensitive data scan | | Service/Ingress/NetworkPolicy | ✅ Yes | Network security audit | | RBAC Resources | ✅ Yes | RBAC permission audit | | Secret | ⚪ Optional | If not granted, Secret checks are skipped |

Impact without Secret permissions:

  • ❌ Secret type checks unavailable
  • ❌ Cannot detect non-sensitive data stored in Secret
  • ✅ All other checks still work (Pod Security, RBAC, network, hostPath, etc.)

Security Best Practices:

  • ✅ Least privilege - grant only what is needed for auditing
  • ✅ Secret optional - decide based on

crazygit

View profile

View on GitHub
GitHub Stars29
CategoryDevelopment
Updated9d ago
Forks0
crazygit/kube-audit-kit

Languages

Python

Security Score

80/100

Audited on Mar 17, 2026

No findings