# Use Steampipe to scan Kubernetes configurations, manifest files, and helm charts > Query all aspects of your Kubernetes environment to answer ad-hoc questions or scan for security best practices. By Steampipe Team Published: 2023-10-04 Kubernetes environments are complex. It's a challenge to keep track of clusters, jobs, namespaces, deployments, nodes, pods, and roles, to ensure everything is configured securely, and to visualize how the parts fit together. The [Kubernetes plugin](https://hub.steampipe.io/plugins/turbot/kubernetes) made it possible to write SQL queries to answer questions about your K8s environment. Building on that foundation, the [Kubernetes Compliance](https://hub.steampipe.io/mods/turbot/kubernetes_compliance) mod added benchmarks and controls for CIS, NSA, and CISA best practices. Then the [Kubernetes Insights](https://hub.steampipe.io/mods/turbot/kubernetes_insights/dashboards) mod delivered a wealth of instant answers to common questions, along with powerful [relationship graphs](https://steampipe.io/blog/k8s-insights) to help you visualize the environment. At first all K8s queries — your own custom ones, and those that power benchmarks and dashboards — fetched data from live clusters. Now we've enhanced the plugin with the ability to query manifests and helm charts too. Let's look at some queries and controls that use the new capability with a simple helm chart [example](https://opensource.com/article/20/5/helm-charts). ## Query helm charts and Kubernetes deployments This query returns two rows from the [kubernetes_deployment](https://hub.steampipe.io/plugins/turbot/kubernetes/tables/kubernetes_deployment) table. ```sql select source_type, name, creation_timestamp from kubernetes_deployment where name = 'cherry-chart' order by creation_timestamp desc ``` ``` +----------------------+--------------+---------------------------+ | source_type | name | creation_timestamp | +----------------------+--------------+---------------------------+ | helm_rendered:charts | cherry-chart | | | deployed | cherry-chart | 2023-10-03T10:32:09-07:00 | +----------------------+--------------+---------------------------+ ``` Why two rows? We've configured the plugin's `source_types` argument as `["deployed", "helm"]`. So we're querying both the rendered helm chart — which doesn't know the `creation_timestamp` — and the deployment which does. ## Scan helm charts and Kubernetes deployments The `Kubernetes Compliance` mod builds on this foundation. For example, it's a best practice not to use the default namespace for a `ServiceAccount`. There's a [control](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/controls/control.service_account_default_namespace_used) to check for that, based on this [query](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/queries/service_account_default_namespace_used). ```sql select coalesce(uid, concat(path, ':', start_line)) as resource, case when namespace = 'default' then 'alarm' else 'ok' end as status, case when namespace = 'default' then name || ' uses default namespace.' else name || ' not using the default namespace.' end as reason, name as service_account_name, coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path from kubernetes_service_account; ``` Running the control shows that the helm chart and deployment are both green: no default namespace. ![helm green deploy green](/images/blog/2023-10-launch-kube-scans/helm-green-deploy-green.png) Now somebody improperly sets the namespace to `default` in `serviceaccount.yaml`. ```yaml {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: namespace: default name: {{ include "buildachart.serviceAccountName" . }} labels: {{ include "buildachart.labels" . | nindent 4 }} {{- end -}} ``` Now the control shows a mismatch between the chart and the deployment. ![helm red deploy green](/images/blog/2023-10-launch-kube-scans/helm-red-deploy-green.png) But we're going to deploy anyway. ``` helm upgrade my-cherry-chart buildachart/ ``` Now the chart and the deployment are both in the alarm state. ![helm red deploy red](/images/blog/2023-10-launch-kube-scans/helm-red-deploy-red.png) Let's properly set a namespace in the helm chart. ``` {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: namespace: cherry # must not be default! name: {{ include "buildachart.serviceAccountName" . }} labels: {{ include "buildachart.labels" . | nindent 4 }} {{- end -}} ``` Now we're back to a mixed result: the chart is green, but the deployment is still red. ![helm green deploy green](/images/blog/2023-10-launch-kube-scans/helm-green-deploy-red.png) After redeploying, we're back to green all around. ![helm green deploy green](/images/blog/2023-10-launch-kube-scans/helm-green-deploy-green.png) ## See it in action
## A wealth of queries and controls We've looked at just one of the [790 controls](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/controls) provided by the `Kubernetes Compliance` mod. Collectively they support best practices defined by [CIS Kubernetes v1.20](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/controls/benchmark.cis_kube_v120), [CIS v1.7.0](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/controls/benchmark.cis_v170), and [NSA and CISA Kubernetes Hardening Guidance v1.0](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/controls/benchmark.nsa_cisa_v1). Those controls build on [781 queries](https://hub.steampipe.io/mods/turbot/kubernetes_compliance/queries). Use them out of the box, or [reuse and remix](https://steampipe.io/blog/remixing-dashboards) to suit your needs. And please do [let us know](https://steampipe.io/community/join) how it goes!