KubeKavach is a developer-first Kubernetes security scanner with local pod replay capabilities. This comprehensive documentation covers all available CLI commands, their options, flags, and usage patterns.
- Installation
- Global Options
- Commands Overview
- Command Reference
- Configuration
- Examples
- Error Handling
- Troubleshooting
npm install -g kubekavach
# or
yarn global add kubekavachThe following options are available for all commands:
--help, -h: Show help for the command--version: Show version information
| Command | Description |
|---|---|
scan |
Scan a Kubernetes cluster for security vulnerabilities |
replay |
Replay a Kubernetes pod locally for debugging |
config |
Manage KubeKavach configuration |
api |
Start the KubeKavach API server |
rules |
List all available security rules |
Scan a Kubernetes cluster for security vulnerabilities using built-in security rules.
kubekavach scan [FLAGS]The scan command connects to your Kubernetes cluster and performs a comprehensive security analysis of your resources including Pods, Deployments, DaemonSets, StatefulSets, and Jobs. It applies various security rules to identify potential vulnerabilities and misconfigurations.
| Flag | Short | Type | Description | Required |
|---|---|---|---|---|
--namespace |
-n |
string | Kubernetes namespace to scan | No |
--kubeconfig |
string | Path to kubeconfig file | No |
- Pods: All pods in the specified namespace or cluster-wide
- Deployments: Application deployments
- DaemonSets: Node-level daemon services
- StatefulSets: Stateful applications
- Jobs: Batch processing jobs
The scan results are displayed in a formatted table showing:
- Rule: The name of the security rule that was violated
- Severity: CRITICAL, HIGH, MEDIUM, or LOW
- Resource: The Kubernetes resource type and name
- Message: Detailed description of the security issue
# Scan entire cluster
kubekavach scan
# Scan specific namespace
kubekavach scan --namespace production
# Scan with custom kubeconfig
kubekavach scan --kubeconfig ~/.kube/custom-config
# Scan specific namespace with custom kubeconfig
kubekavach scan -n kube-system --kubeconfig /path/to/kubeconfigThe command handles various error scenarios:
- Connection refused: Kubernetes API server is unreachable
- 403 Forbidden: Insufficient RBAC permissions
- Kubeconfig errors: Invalid or missing kubeconfig file
- Invalid resources: Skips malformed Kubernetes manifests
Replay a Kubernetes pod locally for debugging purposes.
kubekavach replay [FLAGS]The replay command fetches a running pod from your Kubernetes cluster and replays it locally in a controlled environment. This is useful for debugging issues, testing configurations, or understanding pod behavior without affecting the live cluster.
| Flag | Short | Type | Description | Required |
|---|---|---|---|---|
--namespace |
-n |
string | Kubernetes namespace of the pod | Yes |
--pod |
-p |
string | Name of the pod to replay | Yes |
--kubeconfig |
string | Path to kubeconfig file | No |
# Replay a pod from default namespace
kubekavach replay --namespace default --pod my-app-pod
# Replay with short flags
kubekavach replay -n production -p web-server-123
# Replay with custom kubeconfig
kubekavach replay -n kube-system -p coredns-abc123 --kubeconfig ~/.kube/staging- 404 Not Found: Pod doesn't exist in the specified namespace
- 403 Forbidden: Insufficient permissions to access the pod
- Replay errors: Issues with local container runtime or pod configuration
Manage KubeKavach configuration settings.
kubekavach config <action> [key] [value]The config command allows you to view and modify KubeKavach configuration settings. Configuration values are stored locally and can include API settings, AI integration parameters, and other application preferences.
| Argument | Description | Required |
|---|---|---|
action |
Action to perform: get or set |
Yes |
key |
Configuration key (dot notation supported) | No (required for specific operations) |
value |
Configuration value to set | No (required for set action) |
Common configuration keys include:
api.port: API server port numberapi.host: API server host addressai.apiKey: AI service API key (sensitive)rules.enabled: List of enabled security rules
# View entire configuration
kubekavach config get
# Get specific configuration value
kubekavach config get api.port
# Set configuration value
kubekavach config set api.port 4000
# Set nested configuration
kubekavach config set api.host "0.0.0.0"
# Set JSON values
kubekavach config set rules.enabled '["KKR001","KKR002","KKR003"]'- Sensitive Data Redaction: API keys and secrets are automatically redacted in output
- Schema Validation: Configuration changes are validated against the schema
- Error Handling: Invalid configurations are rejected with helpful error messages
Start the KubeKavach API server.
kubekavach api [FLAGS]The api command starts a local HTTP server that provides REST API endpoints for KubeKavach functionality. This allows integration with other tools, web interfaces, or automated systems.
| Flag | Short | Type | Description | Required |
|---|---|---|---|---|
--port |
-p |
integer | Port to run the API server on | No |
--host |
-h |
string | Host to bind the API server to | No |
--config |
-c |
string | Path to configuration file | No |
# Start API server with default settings
kubekavach api
# Start on custom port
kubekavach api --port 8080
# Start on all interfaces
kubekavach api --host 0.0.0.0 --port 3000
# Start with custom configuration
kubekavach api --config /etc/kubekavach/config.jsonSettings are applied in the following order (highest to lowest priority):
- Command line flags
- Configuration file values
- Default values
List all available security rules.
kubekavach rules [FLAGS]The rules command displays all available security rules that can be applied during cluster scans. Rules can be filtered by category or severity level.
| Flag | Short | Type | Description | Required |
|---|---|---|---|---|
--category |
-c |
string | Filter by category | No |
--severity |
-s |
string | Filter by severity | No |
--json |
boolean | Output in JSON format | No |
Each rule displays:
- ID: Unique rule identifier (e.g., KKR001)
- Name: Human-readable rule name
- Severity: CRITICAL, HIGH, MEDIUM, or LOW
- Category: Rule category (e.g., "Pod Security", "Resource Management")
- Description: Detailed explanation of what the rule checks
# List all rules
kubekavach rules
# Filter by category
kubekavach rules --category "Pod Security"
# Filter by severity
kubekavach rules --severity CRITICAL
# Multiple filters
kubekavach rules -c "Resource" -s HIGH
# JSON output for programmatic use
kubekavach rules --jsonCommon rule categories include:
- Pod Security: Container security configurations
- Resource Management: CPU/memory limits and requests
- Network Security: Network policies and service configurations
- RBAC: Role-based access control issues
- Image Security: Container image vulnerabilities
KubeKavach uses a configuration file to store settings. The configuration is automatically created when first run and can be managed using the config command.
{
"api": {
"port": 3000,
"host": "localhost",
"apiKey": "your-api-key"
},
"ai": {
"apiKey": "your-ai-api-key"
},
"rules": {
"enabled": ["KKR001", "KKR002", "KKR003"]
},
"users": [
{
"name": "admin",
"apiKey": "user-api-key"
}
]
}Some settings can be overridden using environment variables:
KUBECONFIG: Path to kubeconfig fileKUBEKAVACH_CONFIG: Path to KubeKavach configuration file
# 1. Check available rules
kubekavach rules --severity CRITICAL
# 2. Scan your cluster
kubekavach scan --namespace production
# 3. If issues found, replay problematic pod for debugging
kubekavach replay -n production -p suspicious-pod-123
# 4. Start API server for integration
kubekavach api --port 8080
# 5. Configure for your environment
kubekavach config set api.port 8080
kubekavach config set rules.enabled '["KKR001","KKR002"]'#!/bin/bash
# CI/CD pipeline security check
# Run security scan
kubekavach scan --namespace staging > scan-results.txt
# Check if any critical issues found
if grep -q "CRITICAL" scan-results.txt; then
echo "Critical security issues found!"
cat scan-results.txt
exit 1
fi
echo "Security scan passed"# Scan multiple namespaces
for ns in production staging development; do
echo "Scanning namespace: $ns"
kubekavach scan --namespace $ns
echo "---"
doneKubeKavach provides detailed error messages and handling for common scenarios:
# Error: Could not connect to Kubernetes API server
# Solution: Check kubeconfig and cluster connectivity
kubectl cluster-info
kubekavach scan --kubeconfig ~/.kube/config# Error: Forbidden: Insufficient permissions
# Solution: Check RBAC permissions
kubectl auth can-i list pods
kubectl auth can-i list deployments# Error: Invalid configuration key
# Solution: Check available configuration keys
kubekavach config getProblem: kubeconfig error: file not found
Solution:
# Set KUBECONFIG environment variable
export KUBECONFIG=~/.kube/config
# Or specify explicitly
kubekavach scan --kubeconfig ~/.kube/configProblem: Scan completes but finds no resources
Solution:
# Check if resources exist in namespace
kubectl get pods -n your-namespace
# Verify cluster connectivity
kubectl cluster-infoProblem: API server fails to start
Solution:
# Check if port is available
netstat -tlnp | grep :3000
# Try different port
kubekavach api --port 8080Problem: No security rules are applied
Solution:
# Check available rules
kubekavach rules
# Verify rule configuration
kubekavach config get rules.enabledFor troubleshooting, you can enable verbose logging by setting the DEBUG environment variable:
DEBUG=kubekavach:* kubekavach scanIf you encounter issues not covered in this documentation:
- Check the GitHub issues: https://github.com/gensecaihq/kubekavach/issues
- Review the logs for detailed error messages
- Ensure you're using the latest version:
kubekavach --version
This documentation is for KubeKavach CLI version 0.1.0.
For the latest updates and features, visit: https://kubekavach.gensecai.org