What is the CIS Kubernetes Benchmark?

The CIS (Center for Internet Security) Kubernetes Benchmark is a set of security recommendations for Kubernetes deployments. It covers cluster setup, API server configuration, etcd, controller manager, scheduler, and workload configurations. This tool focuses on section 5 (workload security) which validates pod and container security settings.

Does this tool support multi-document YAML?

Yes, you can paste multiple Kubernetes resources separated by --- (triple dash). The validator will analyze each resource independently and provide a combined security report. This is useful for validating complete deployments including ConfigMaps, Services, and Deployments together.

What does the security score represent?

The security score starts at 100 and deducts points based on issue severity: Critical issues deduct 25 points, High deducts 15, Medium deducts 8, Low deducts 3, and Info deducts 1. A score of 90+ is Grade A, 80+ is B, 70+ is C, 60+ is D, and below 60 is F.

What's the difference between security issues and best practices?

Security issues are potential vulnerabilities that could be exploited (like running as root or privileged mode). Best practices are recommendations for maintainability and operations (like missing labels or deprecated API versions). Security issues affect the score; best practices are advisory.

Can I use this in my CI/CD pipeline?

Yes\! Export your results in SARIF format, which is supported by GitHub Actions, Azure DevOps, and other CI/CD platforms. You can also export to JSON for custom integrations. For automated pipeline scanning, consider using tools like Kyverno, OPA Gatekeeper, or Trivy that can block deployments.

Why is runAsNonRoot important?

Running containers as root (UID 0) is dangerous because if an attacker escapes the container, they have root access to the node. Setting runAsNonRoot: true ensures the container runs as a non-privileged user. Combine this with runAsUser to specify a specific UID (1000 or higher is recommended).

What are resource limits and why do they matter?

Resource limits (CPU and memory) prevent a single container from consuming all node resources, which could crash other workloads. Without limits, a memory leak or CPU spike in one pod can destabilize the entire node. This is also important for fair scheduling and cost management.

Should I always use imagePullPolicy: Always?

For production workloads, yes. Using Always ensures you get the latest version of an image tag and prevents using a cached, potentially vulnerable image. However, for development or when using immutable tags (like SHA digests), IfNotPresent can improve startup time.

What is a read-only root filesystem?

Setting readOnlyRootFilesystem: true makes the container's filesystem immutable. This prevents attackers from modifying binaries, writing malware, or changing configurations. Use emptyDir or persistent volumes for paths that need to be writable (like /tmp or /var/log).

Home/Tools/Security/Kubernetes Manifest Validator

Kubernetes Manifest Validator

Validate K8s manifests against CIS Kubernetes Benchmark security checks. Detect privileged containers, missing resource limits, and misconfigurations.

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading Kubernetes Manifest Validator...

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Need Expert Kubernetes Security?

Our DevSecOps team secures Kubernetes clusters with admission controllers, CIS benchmarks, and runtime protection.

Learn About DevSecOps Services Explore DevOps Consulting

What Is Kubernetes Manifest Validation

Kubernetes manifests are YAML or JSON files that define the desired state of resources in a Kubernetes cluster — pods, deployments, services, configmaps, network policies, and more. Manifest validation checks these files for syntax errors, schema violations, security misconfigurations, and best practice deviations before they are applied to a cluster.

Catching configuration errors before deployment prevents outages, security vulnerabilities, and compliance violations. A single misconfigured securityContext, missing resource limit, or overly permissive RBAC role can expose your cluster to privilege escalation, resource exhaustion, or data breaches.

How Kubernetes Manifest Validation Works

Validation occurs at multiple levels:

Level	What It Checks	Example Issue
Syntax	Valid YAML/JSON structure	Indentation errors, missing colons, invalid characters
Schema	Correct API fields and types	Misspelled field names, wrong value types, missing required fields
Security	Security best practices	Running as root, missing network policies, privileged containers
Resource	Resource management	Missing CPU/memory limits, no pod disruption budgets
Policy	Organizational standards	Non-compliant labels, unapproved images, missing annotations

Common Security Misconfigurations

Running containers as root — securityContext.runAsNonRoot: false or omitted
Privileged containers — securityContext.privileged: true grants full host access
Missing resource limits — No CPU/memory limits enable resource exhaustion attacks
Host network/PID namespace — hostNetwork: true breaks network isolation
Writable root filesystem — readOnlyRootFilesystem: false allows malware persistence
No network policies — All pod-to-pod traffic is permitted by default

Common Use Cases

CI/CD pipeline gates: Validate manifests automatically before deployment to catch errors and security issues in pull requests
Security hardening: Audit existing manifests against CIS Kubernetes Benchmark and NSA/CISA hardening guidelines
Shift-left security: Enable developers to check their own manifests for security issues during development, before code review
Compliance enforcement: Ensure all deployments meet organizational policies for labels, resource limits, image registries, and security contexts
Migration validation: When migrating workloads between clusters or upgrading Kubernetes versions, validate that manifests are compatible with the target API version

Best Practices

Enforce non-root containers — Set runAsNonRoot: true and specify a non-zero runAsUser in every pod's securityContext. Very few workloads genuinely require root.
Always set resource limits — Define CPU and memory requests and limits for every container. This prevents noisy neighbors and resource exhaustion denial-of-service.
Use read-only root filesystems — Set readOnlyRootFilesystem: true and mount writable volumes only where needed. This prevents malware from modifying container filesystems.
Validate in CI, enforce in admission — Use this tool and similar validators in your CI pipeline for early feedback, and deploy OPA Gatekeeper or Kyverno as admission controllers for runtime enforcement.
Pin image tags to digests — Use image digests (@sha256:...) instead of mutable tags (:latest) to prevent supply chain attacks through tag manipulation.

Frequently Asked Questions

Common questions about the Kubernetes Manifest Validator

The validator checks against CIS Kubernetes Benchmark controls including: privileged containers (CIS-5.2.1), hostPID/hostIPC/hostNetwork (CIS-5.2.2-4), runAsNonRoot (CIS-5.2.6), dangerous capabilities (CIS-5.2.7), privilege escalation (CIS-5.2.8), resource limits, read-only filesystem, image pull policy, and health probes.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.