Kubernetes YAML Security Linter — Scan Manifests for Misconfigurations
Paste any Kubernetes YAML — Deployment, DaemonSet, StatefulSet, Pod. Checks for the most common security misconfigurations that make it into production: running as root, missing resource limits, privileged containers, hardcoded secrets, and more. Nothing leaves your browser.
Paste any Kubernetes YAML (Deployment, DaemonSet, StatefulSet, Pod, etc.). Checks for security misconfigurations — running as root, missing resource limits, privileged containers, and more. No install, no cluster access needed.
Load example:
What each check means
- No resource limits (Critical): A pod without CPU/memory limits can consume all node resources, triggering OOM kills on other pods. Always set limits in production.
- runAsNonRoot not set (High): Most container images default to UID 0 (root). If someone escapes the container, they have root on the host. Set
runAsNonRoot: trueand a non-zerorunAsUser. - Mutable image tag (High):
:latestis a footgun. Your deployment can silently pull a different image on the next pod restart. Pin to a specific version or SHA. - Privileged container (Critical): Essentially running Docker-in-Docker with full host capabilities. Almost never needed. If you think you need it, you probably don’t.
- allowPrivilegeEscalation (Medium): Allows setuid/setgid executables to gain more privileges than their parent. Disable unless you specifically need it.
- Hardcoded secrets in env vars (Critical): Visible in
kubectl get pod -o yaml, CI logs, and audit logs. UsesecretKeyRefor a secrets manager like Vault.
For deprecated API version checks (e.g. extensions/v1beta1), use the K8s Deprecation Checker. For K8s resource sizing, use the Resource Calculator.
Founded
2023 in London, UK
Contact
hello@releaserun.com