Kubernetes Security Posture Scorecard
by @krishnakumarmahadevan-cmd
Assess Kubernetes cluster security posture across 30 controls covering RBAC, workload security, network policies, IaC, runtime monitoring, and secrets manage...
clawhub install k8s-security-posture-scorecardπ About This Skill
name: k8s-security-posture-scorecard description: Assess Kubernetes cluster security posture across 30 controls covering RBAC, workload security, network policies, IaC, runtime monitoring, and secrets management. Use when evaluating K8s security hardening, container security compliance, cluster security audit, CIS Kubernetes benchmark, or cloud-native security posture. version: 1.0.0 homepage: https://portal.toolweb.in metadata: openclaw: emoji: "π‘οΈ" requires: env: - TOOLWEB_API_KEY bins: - curl primaryEnv: TOOLWEB_API_KEY os: - linux - darwin - win32 category: security
Kubernetes Security Posture Scorecard π‘οΈβΈοΈ
Assess your Kubernetes cluster's security posture across 30 controls in 7 domains: Cluster Configuration, Workload Security, Network Security, Infrastructure as Code, Runtime Security, Secrets Management, and Compliance. Returns an overall security score, domain-level grades, critical findings, and a prioritized remediation roadmap.
Built by a CISSP/CISM certified security professional at ToolWeb.in
When to Use
Prerequisites
TOOLWEB_API_KEY β Get your API key from portal.toolweb.incurl must be available on the systemCRITICAL: Always Call the API
API Endpoint
POST https://portal.toolweb.in/apis/security/k8scorecard
7 Security Domains (30 Controls)
1. Cluster Configuration (5 controls):
rbac_enabled β Is Role-Based Access Control enabled?anonymous_auth_disabled β Is anonymous authentication disabled?node_restriction_enabled β Is the NodeRestriction admission plugin enabled?audit_logging_enabled β Is Kubernetes audit logging enabled?etcd_encrypted β Is etcd data encrypted at rest?2. Workload Security (5 controls):
pod_security_policies β Are Pod Security Policies/Standards enforced?privileged_containers β Are privileged containers blocked? (true = no privileged containers)root_containers β Are root containers blocked? (true = no root containers)image_scanning_enabled β Is container image vulnerability scanning in place?admission_controller_enabled β Is a validating/mutating admission controller active?3. Network Security (4 controls):
network_policies_defined β Are Kubernetes NetworkPolicies defined?ingress_tls_enforced β Is TLS enforced on all ingress?service_mesh_enabled β Is a service mesh (Istio, Linkerd, etc.) in use?inter_pod_isolation β Is inter-pod network isolation implemented?4. Infrastructure as Code (4 controls):
iac_used β Is infrastructure managed as code (Terraform, Pulumi, etc.)?iac_scanning_enabled β Is IaC scanning (Checkov, tfsec, etc.) in the pipeline?gitops_workflow β Is GitOps used for deployments (ArgoCD, Flux)?drift_detection β Is configuration drift detection enabled?5. Runtime Security (5 controls):
runtime_monitoring_enabled β Is runtime security monitoring active?falco_or_equivalent β Is Falco or equivalent runtime threat detection deployed?fim_enabled β Is File Integrity Monitoring enabled?audit_trail_enabled β Is a comprehensive audit trail maintained?auto_incident_response β Is automated incident response configured?6. Secrets Management (3 controls):
secrets_encrypted_at_rest β Are K8s secrets encrypted at rest?external_secrets_manager β Is an external secrets manager used (Vault, AWS SM, etc.)?no_hardcoded_secrets β Are there no hardcoded secrets in manifests/images?7. Optional:
compliance_frameworks β Compliance standards to map (e.g., "CIS, SOC2, PCI-DSS")notes β Additional context about the clusterWorkflow
1. Gather inputs from the user. Ask about their cluster setup and walk through each domain:
Cluster info (required):
- cluster_name β Name of the cluster
- environment β "production", "staging", or "development"
- k8s_version β Kubernetes version (e.g., "1.28", "1.29")
- cloud_provider β "AWS EKS", "Azure AKS", "GCP GKE", "On-Premise"
Then ask yes/no for each of the 30 controls above. You can ask domain-by-domain: - "Let's start with Cluster Configuration: Is RBAC enabled? Anonymous auth disabled? Node restriction? Audit logging? etcd encryption?" - "Workload Security: Do you enforce pod security policies? Block privileged and root containers? Image scanning? Admission controllers?" - Continue for each domain...
Quick assessment shortcut: If the user says "we have a basic EKS cluster with defaults" or similar, you can set reasonable defaults (e.g., RBAC=true, most others=false for a default setup) and confirm with the user before calling.
2. Call the API:
curl -s -X POST "https://portal.toolweb.in/apis/security/k8scorecard" \
-H "Content-Type: application/json" \
-H "X-API-Key: $TOOLWEB_API_KEY" \
-d '{
"cluster_name": "",
"environment": "",
"k8s_version": "",
"cloud_provider": "",
"rbac_enabled": true,
"anonymous_auth_disabled": true,
"node_restriction_enabled": false,
"audit_logging_enabled": false,
"etcd_encrypted": false,
"pod_security_policies": false,
"privileged_containers": false,
"root_containers": false,
"image_scanning_enabled": false,
"admission_controller_enabled": false,
"network_policies_defined": false,
"ingress_tls_enforced": true,
"service_mesh_enabled": false,
"inter_pod_isolation": false,
"iac_used": true,
"iac_scanning_enabled": false,
"gitops_workflow": false,
"drift_detection": false,
"runtime_monitoring_enabled": false,
"falco_or_equivalent": false,
"fim_enabled": false,
"audit_trail_enabled": false,
"auto_incident_response": false,
"secrets_encrypted_at_rest": false,
"external_secrets_manager": false,
"no_hardcoded_secrets": false,
"compliance_frameworks": "CIS, SOC2",
"notes": ""
}'
3. Present results clearly: - Lead with overall security score and grade - Show domain-level scores - Highlight critical failures - Present remediation roadmap in priority order
Output Format
π‘οΈ Kubernetes Security Posture Scorecard
ββββββββββββββββββββββββββββββββββββββββCluster: [cluster_name]
Environment: [environment]
K8s Version: [version]
Provider: [cloud_provider]
π Overall Security Score: [XX/100] β Grade: [A/B/C/D/F]
π Domain Scores:
βοΈ Cluster Configuration: [X/5] controls passed
π¦ Workload Security: [X/5] controls passed
π Network Security: [X/4] controls passed
ποΈ Infrastructure as Code: [X/4] controls passed
π Runtime Security: [X/5] controls passed
π Secrets Management: [X/3] controls passed
π΄ Critical Findings:
[List controls that failed with highest impact]
π‘ Warnings:
[Medium-priority items]
π Remediation Roadmap:
1. [Most urgent fix] β Impact: Critical
2. [Next priority] β Impact: High
3. [Next priority] β Impact: Medium
π Full scorecard powered by ToolWeb.in
Error Handling
TOOLWEB_API_KEY is not set: Tell the user to get an API key from https://portal.toolweb.inExample Interaction
User: "Assess the security of our production EKS cluster"
Agent flow: 1. Ask: "I'll score your cluster across 30 security controls in 7 domains. Let's start: - What's the cluster name and K8s version? - Cluster Config: Is RBAC enabled? Anonymous auth disabled? Audit logging on? etcd encrypted?" 2. User responds: "Cluster is prod-eks-01, version 1.29. RBAC yes, anonymous auth disabled yes, no audit logging, no etcd encryption, no node restriction." 3. Continue through remaining domains 4. Call API with all 30 controls 5. Present security score, domain breakdown, critical findings, and remediation roadmap
Pricing
About
Created by ToolWeb.in β a security-focused MicroSaaS platform with 200+ security APIs, built by a CISSP & CISM certified professional. Trusted by security teams in USA, UK, and Europe and we have platforms for "Pay-per-run", "API Gateway", "MCP Server", "OpenClaw", "RapidAPI" for execution and YouTube channel for demos.
Related Skills
Tips
β‘ When to Use
βοΈ Configuration
TOOLWEB_API_KEY β Get your API key from portal.toolweb.incurl must be available on the system