Paste any Kubernetes YAML — Deployment, DaemonSet, StatefulSet, Pod. Checks for the most common security misconfigurations that make it into production: running as root, missing resource limits, privileged containers, hardcoded secrets, and more. Nothing leaves your browser.
Paste any Kubernetes YAML (Deployment, DaemonSet, StatefulSet, Pod, etc.). Checks for security misconfigurations — running as root, missing resource limits, privileged containers, and more. No install, no cluster access needed.
What each check means
- No resource limits (Critical): A pod without CPU/memory limits can consume all node resources, triggering OOM kills on other pods. Always set limits in production.
- runAsNonRoot not set (High): Most container images default to UID 0 (root). If someone escapes the container, they have root on the host. Set
runAsNonRoot: trueand a non-zerorunAsUser. - Mutable image tag (High):
:latestis a footgun. Your deployment can silently pull a different image on the next pod restart. Pin to a specific version or SHA. - Privileged container (Critical): Essentially running Docker-in-Docker with full host capabilities. Almost never needed. If you think you need it, you probably don’t.
- allowPrivilegeEscalation (Medium): Allows setuid/setgid executables to gain more privileges than their parent. Disable unless you specifically need it.
- Hardcoded secrets in env vars (Critical): Visible in
kubectl get pod -o yaml, CI logs, and audit logs. UsesecretKeyRefor a secrets manager like Vault.
For deprecated API version checks (e.g. extensions/v1beta1), use the K8s Deprecation Checker. For K8s resource sizing, use the Resource Calculator.
🔒 More Security Tools
Browse all 16 free tools in the Security Tools collection — K8s YAML linter, GitHub Actions security, Terraform scanner, JWT inspector, CVE dashboard, and more.
📚 See also: Kubernetes YAML Reference — free developer quick-reference.