Static Analysis: Kubesec, KubeLinter, and Trivy

A Deployment with privileged: true and CAP_SYS_ADMIN is one kubectl apply away from giving an attacker root on your node. Add a writable root filesystem and no capability drops, and you've created an ideal breakout target. These misconfigurations ship to production every day, not because engineers don't know better, but because nobody checked.

Static analysis tools check. They scan your Kubernetes manifests and container images before anything reaches the cluster, flagging dangerous configurations and known vulnerabilities. The CKS exam tests this directly under the Supply Chain Security domain (20%), naming Kubesec and KubeLinter as tools candidates must be able to use.