DEV.co
Open-Source Security · appvia

krane

Krane is a Kubernetes RBAC static analysis and visualization tool that identifies security risks in role-based access control configurations. It provides CLI, dashboard, and in-cluster deployment modes with built-in risk rules and Slack alerting.

Source: GitHub — github.com/appvia/krane
740
GitHub stars
34
Forks
Ruby
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryappvia/krane
Ownerappvia
Primary languageRuby
LicenseApache-2.0 — OSI-approved
Stars740
Forks34
Open issues55
Latest releasev0.1.3 (2024-12-18)
Last updated2026-02-13
Sourcehttps://github.com/appvia/krane

What krane is

Ruby-based tool that indexes Kubernetes RBAC entities (Roles, ClusterRoles, RoleBindings, ServiceAccounts) into a RedisGraph database, enabling CypherQL queries for risk analysis. Supports local file analysis, kubectl context access, and in-cluster deployment via Helm.

Quickstart

Get the krane source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/appvia/krane.gitcd krane# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

RBAC Security Audit and Compliance

Identify overly permissive roles, unused permissions, and risky RBAC configurations before deployment to production clusters.

CI/CD Pipeline Integration

Validate RBAC configurations as part of GitOps workflows to catch security issues early and enforce policy compliance.

Multi-Cluster RBAC Visualization and Querying

Use the dashboard to visualize RBAC hierarchies across clusters and run ad-hoc CypherQL queries to understand access patterns and dependencies.

Implementation considerations

  • RedisGraph dependency must be provisioned and maintained; docker-compose provided for local dev but production requires separate deployment strategy.
  • Service account requires cluster-admin-equivalent permissions (RBAC resources read access); validate least-privilege setup in your environment.
  • Built-in risk rules are fixed; custom rules require code modification or extension—no visible policy-as-code framework documented.
  • Dashboard runs on port 8000 by default; network access and authentication (not mentioned in data) require review for multi-tenant environments.
  • Helm chart available but requires Helm CLI; no Kustomize or plain YAML manifests mentioned in provided data.

When to avoid it — and what to weigh

  • Need mature, production-hardened tooling — Project is marked as beta stability with 55 open issues. Not recommended for mission-critical security gates without internal testing.
  • Require air-gapped or minimal dependencies — Requires RedisGraph as external dependency, adding operational overhead and complexity in restricted environments.
  • Kubernetes versions < 1.18 without PSP — Tool has strong coupling to PodSecurityPolicy concepts (deprecated in v1.21, removed in v1.25); viability uncertain for older clusters.
  • Teams unfamiliar with CypherQL or graph databases — Advanced querying requires understanding graph query language; learning curve for non-specialist teams.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive license permitting commercial use with attribution and no warranty.

Apache-2.0 is permissive and allows commercial use, internal modification, and redistribution. No proprietary restrictions. However, as beta-stability software, evaluate internal liability and support policies independently; vendor support model not stated in available data.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool performs static analysis of RBAC configurations; it does not audit runtime access logs or enforce policies. Krane itself requires read-only access to RBAC resources; ensure the service account follows least-privilege principles. RedisGraph datastore should be restricted (no credentials mentioned in docs); verify access control in multi-tenant setups. No input validation or injection protection details provided; review code if accepting untrusted RBAC definitions. Beta stability implies potential bugs; do not use as sole basis for access decisions in high-security environments.

Alternatives to consider

kubesec/kubesec

Container security static analyzer; more focused on pod security policies and runtime config vs. RBAC role coverage.

FairwindsOps/polaris

Kubernetes best practices auditor with broader coverage (security, resource requests, etc.); less specialized in RBAC but more mature.

Aqua Security/kubescape

Comprehensive Kubernetes security scanner with RBAC checks, runtime visibility, and commercial support; heavier but more feature-rich.

Software development agency

Build on krane with DEV.co software developers

Use Krane to identify overly permissive roles and security gaps in your Kubernetes clusters. Deploy via Helm, run locally, or integrate into CI/CD pipelines.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

krane FAQ

Can Krane enforce RBAC policies or only report on them?
Krane performs static analysis and reporting only. It does not enforce policies or modify cluster RBAC; integration into policy engines (e.g., Kyverno, OPA) would be required for enforcement.
What Kubernetes versions are supported?
Not explicitly stated in provided data. Tool handles PodSecurityPolicy (deprecated in 1.21, removed in 1.25), suggesting support for older versions, but current version compatibility requires review of release notes.
How are custom RBAC risk rules added?
README mentions custom rules can be 'modified or extended' but no authoring guide is provided. Code review or documentation beyond the README likely required.
Does Krane support Windows containers or non-Linux deployments?
Unknown. Data shows Ruby/Linux-focused tooling and Docker/Helm deployment; Windows/macOS client support not mentioned.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like krane. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Audit Your Kubernetes RBAC Today

Use Krane to identify overly permissive roles and security gaps in your Kubernetes clusters. Deploy via Helm, run locally, or integrate into CI/CD pipelines.