Why is a privileged container dangerous?

A privileged container largely removes the isolation between the container and the host node - it can access devices, load kernel modules, and manipulate the host, so a compromise of that container is effectively a compromise of the node and often the whole cluster. The same goes for hostNetwork, hostPID, hostPath mounts, and adding capabilities like SYS_ADMIN. These should be rare and deliberate; if a workload has them by default, that is a finding.

Why set resource limits on every container?

Without limits, a single container can consume all the CPU and memory on a node, starving every other pod and potentially taking the node down - the noisy-neighbor problem. Memory limits also let the kubelet OOM-kill a leaking container instead of the whole node falling over. Requests and limits make scheduling predictable and isolate failures to the workload that caused them.

Is it safe to paste my manifest?

Yes. The auditor runs entirely in your browser - nothing you paste is uploaded or logged. It reads the structure of the YAML locally. Manifests sometimes embed secrets directly, which is itself a finding the tool flags; secrets belong in a Secret or an external store, referenced by the manifest, not inlined.

Free tool · Runs in your browser · Nothing uploaded

Audit your Kubernetes manifest.

A YAML that deploys fine can still hand an attacker the node. Paste your Deployment or Pod manifest and get a security audit — privileged, hostPath, runAsRoot, missing limits, :latest, dangerous capabilities — each with the fix.

100% client-side

Deploys fine, owns the node

Kubernetes will happily run an insecure pod. A privileged: true, a hostPath mounting the node filesystem, a container running as root with no resource limits — none of it errors, and all of it widens the blast radius from “one compromised app” to “the node, and maybe the cluster.” These are the defaults people copy from a tutorial and never revisit. This catches the common ones in seconds, with the one-line fix.

Catching it once in a manifest is the start; keeping it caught across every workload and every cluster, and proving the posture held, is the standing job — the kind of continuous, inspectable control a control plane gives you over the infrastructure you run.

Related free tools

Deploy to your own serverPush-to-deploy, your box systemd service generatorKeep your app running Reverse proxy + HTTPSCaddy / nginx + HTTPS DNS records helperPoint your domain

All free tools →

Catch it here. Keep it caught.

Infraveil governs and audits what runs across the infrastructure you own — with the least-privilege defaults, change gating, and tamper-evident record that turn a one-time fix into a standing guarantee.

See how it works

Get the secure-Kubernetes playbook

Pod security, limits, and hardening for workloads you run. No spam.