Security Operator
Overview
The DevZero Security Operator scans your Kubernetes workloads for vulnerabilities, misconfigurations, and compliance issues.
Security Operator
The Security Operator automatically scans your Kubernetes cluster for security issues and reports them via CRDs and the DevZero dashboard.
What It Scans
| Scanner | What It Checks | CRD Output |
|---|---|---|
| Vulnerability Scanner | Known CVEs in container images | VulnerabilityReport |
| Config Audit Scanner | Kubernetes resource misconfigurations | ConfigAuditReport |
| Exposed Secret Scanner | Hardcoded credentials in images | ExposedSecretReport |
| RBAC Assessment | Over-permissive RBAC roles | RbacAssessmentReport |
| Infrastructure Assessment | Node-level security issues | InfraAssessmentReport |
| Compliance Scanner | CIS, NSA, PSS benchmark compliance | ClusterComplianceReport |
How It Works
- The operator watches for new or updated workloads in your cluster
- For each workload, it creates scan jobs that analyze container images and resource configurations
- Scan results are stored as CRDs in the cluster and sent to the DevZero platform
- The DevZero dashboard aggregates results across clusters for a unified security view
Compliance Frameworks
The operator supports three compliance frameworks out of the box:
- CIS Kubernetes Benchmark -- Center for Internet Security best practices
- NSA Kubernetes Hardening Guide -- National Security Agency recommendations
- Pod Security Standards (PSS) -- Kubernetes-native pod security levels (Baseline, Restricted)
Compliance reports are generated on a configurable schedule (default: every 6 hours).
Installation
helm upgrade --install dakr-security \
oci://registry-1.docker.io/devzeroinc/dakr-security \
--version <CHART_VERSION> \
--namespace dakr-security-system \
--create-namespaceThe operator begins scanning all namespaces automatically after installation.
Viewing Scan Results
# Vulnerability reports
kubectl get vulnerabilityreports -A
# Configuration audit reports
kubectl get configauditreports -A
# Compliance reports
kubectl get clustercompliancereport -n dakr-security-system
# View specific report details
kubectl get vulnerabilityreport <name> -n <namespace> -o yamlReports are automatically sent to the DevZero platform for visualization in the dashboard.