PS Product SecurityKnowledge Base

Kubernetes Security Tooling Cheatsheet

Use this page as a fast command starter, then move into the deeper section pages for design, rollout, or exception-handling guidance.

Image and config scanning

trivy image registry.example.com/team/app:1.2.3
trivy config .
grype registry:registry.example.com/team/app:1.2.3

Cluster posture

kubescape scan framework nsa --submit=false
kube-bench run --targets master,node

Runtime

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco -n falco --create-namespace
kubectl logs -n falco daemonset/falco

Admission / policy

kubectl label ns billing pod-security.kubernetes.io/enforce=restricted
kubectl label ns billing pod-security.kubernetes.io/audit=restricted
kubectl label ns billing pod-security.kubernetes.io/warn=restricted

Best use

  • fast local orientation during review;
  • preparing a lab or interview exercise;
  • mapping a tool name to the right deeper page in the Kubernetes section.