Wiz
All articles

What is a Kubernetes Bill of Materials (KBOM)?

Wiz Experts Team
6 minute read
Get your Kubernetes Security Cheat SheetSee Wiz in Action
Main takeaways from KBOMs:

  • A KBOM inventories every orchestration-layer component—from control-plane services and node binaries to CNI plugins and custom resources.

  • With a KBOM, you can map CVEs to precise cluster elements, generate audit-ready snapshots on demand, and enforce policy gates in your CI/CD pipelines.

  • You can automate KBOM generation on every change, version each snapshot in Git, and lock critical components to immutable digests.

  • Regularly pulling KBOM data into security dashboards, embedding checks in GitOps workflows, and syncing with vulnerability scanners keeps your cluster continuously compliant.

  • By leveraging Wiz KSPM’s agentless discovery, graph-based risk prioritization, and built-in compliance checks, you can supercharge your KBOM-driven security controls.

A Kubernetes bill of materials (KBOM) is a structured, queryable manifest that inventories every component running in your Kubernetes cluster. Unlike traditional SBOMs, KBOMs are designed to evolve in step with your cluster, providing real-time visibility into control planes, nodes, custom resources, and third-party add-ons.

KBOMS cut through cluster complexity by providing a single source of truth for control planes, nodes, custom resource definitions (CRDs), and third-party add-ons. With a KBOM, you can quickly map vulnerabilities, audit configurations, and streamline incident response.

Kubernetes has become the de facto operating system for cloud-native workloads. But as you spin up clusters, supply chain threats lurk beneath every container pull. Guidelines from NIST and the White House mandate complete transparency on software components, pushing you to prove what's running in each node and pod. Missing a single outdated CRD or a patched kubelet could open an unpatched backdoor or trigger compliance headaches.

This blog post will explain how a KBOM tailors the classic SBOM concept to Kubernetes—and why that matters for container security. You’ll gain a clear plan for creating and sharing a KBOM while integrating it into your Kubernetes security best practices. By the end, you'll be able to confidently conduct vulnerability scans, generate audit exports, and automate updates to your KBOM.

The State of Code Security Report [2025]

The State of Code Security Report 2025 highlights a rise in supply chain attacks targeting open-source packages, including malicious injections in NPM and PyPI ecosystems. A robust SBOM is crucial to mitigating these risks.

Download report

Comparing KBOMs, SBOMs, and AI-BOMs

The YAML examples below illustrate how each “BOM” targets a different scope:

  • An SBOM inventories application libraries and their checksums.

  • An AI-BOM documents datasets, training/inference components, and pipeline steps.

  • A KBOM enumerates Kubernetes-specific orchestration elements—control-plane services, node-level binaries, and add-on plugins.

SBOM AI-BOMKBOM

spdxVersion: SPDX-2.2

dataLicense: CC0-1.0

documentName: example-appcomponents:

  • name: expressversion: “4.17.1"

checksum: sha256:abc123…

  • name: lodashversion: “4.17.21"

checksum: sha256:def456…

bomFormat: AI-BOM-1.0

modelName: image-classifier

modelVersion: "v2.3.0"

components:

  • name: training-data

type: dataset

uri: s3://ml-bucket/images

checksum: sha256:789ghi…

  • name: inference-engine

type: library

version: “1.5.2"

checksum: sha256:jkl012…

pipeline:

  • step: preprocess-images
  • step: train-model
  • step: deploy

apiVersion: bom.k8s.io/v1alpha1

kind: KubernetesBillOfMaterials

metadata:

name: prod-cluster-kbom

components:

controlPlane:

  • name: kube-apiserver

version: “v1.25.3"

digest: sha256:aaa111…

  • name: kube-scheduler

version: “v1.25.3"

digest: sha256:bbb222…

nodeLevel:

  • name: kubelet

version: “v1.25.3"

digest: sha256:ccc333…

thirdPartyAddOns:

  • name: cert-manager

version: “v1.7.1"

digest: sha256:eee555…

  • name: istio-ingress

version: “1.13.2"

digest: sha256:fff666…

Inside the KBOM: Structure and key components

The core components of a KBOM and its structure show you which part of the orchestration layer you're inspecting at a glance.

Let's see how a KBOM organizes itself into clear sections mapped directly to a cluster layer:

SectionExample components
Control planeAPI server, scheduler, controller manager
Node levelKubelet, kube-proxy, container runtime, OS version, kernel hash
Third-party add-onsService mesh, GitOps operator, CSI drivers, CRDs
ConfigurationsConfigMaps, secrets, CRD schemas, admission controllers

Every KBOM entry carries metadata like image digests, version numbers, and checksums. Those fields let you pin down the exact build, detect unauthorized changes, and maintain audit integrity. You can even tag entries with maintainers or team ownership to speed up handoffs.

Kubernetes Secure Coding Best Practices [Cheat Sheet]

Download PDF

Why KBOM matters: Visibility, security, and compliance

With a KBOM, all that messy cluster detail becomes an organized inventory. You gain three huge advantages right out of the gate:

Enhanced visibility

When dozens of pods, sidecars, and plugins are live, you need a single source of truth. A KBOM provides that ingredients list for your cluster, letting you:

  • Track container image tags and digests across namespaces

  • Verify CRD versions powering custom workloads

  • Monitor service mesh and CSI driver components centrally

  • Identify the drift between expected and actual configurations

A KBOM remains accurate and dynamic by implementing real-time synchronization with your Kubernetes cluster. Automated agents or agentless scans (such as those provided by Wiz Cloud’s agentless discovery) continuously monitor changes in control plane services, node binaries, and custom resources.

These scans trigger reconciliation processes that update the KBOM within your CI/CD pipelines. The process may involve automated diffing between sequential KBOM snapshots, reconciling divergences by comparing current state metadata (like imageDigest in pod specs) against a verified, immutable manifest version registered in Git.

Security benefits

KBOMs rapidly map new CVEs to the exact cluster elements that use vulnerable code or libraries. That means you can:

  • Generate alerts for kubelet or container runtime flaws

  • Create dependency graphs linking digests to vulnerable layers

  • Assign priority levels based on public exploit data

  • Correlate KBOM data with SIEM logs for historic vulnerability tracking

  • Automate policy gates in CI/CD to block bad deployments

Compliance and audit readiness

Auditors love a clear component roster. With a KBOM, you can:

  • Export a timestamped JSON or CSV manifest on demand

  • Show historical snapshots proving version history

  • Demonstrate coverage for CRDs, admission controllers, and plugins

  • Provide stakeholder-friendly reports for internal and external reviews

Best practices for KBOM management

The following best practices cover how to version, automate, and share your KBOM to stay fresh, reliable, and integrated with your security workflows.

Regular updates and version control

  • Regenerate the KBOM on every Helm upgrade, configuration change, or node addition.

  • Commit each KBOM snapshot to Git with a matching release tag.

  • Automate diffs between versions and alert on unexpected changes.

  • Lock critical components to digests rather than mutable tags to avoid silent shifts.

Integration with security posture tools

  • Push KBOM data into vulnerability scanners (CVE mapping, dependency graphs).

  • Trigger policy-as-code gates in CI using webhooks on kubectl apply.

  • Sync KBOMs with KSPM or CSPM platforms to correlate with runtime telemetry.

  • Schedule regular KBOM pulls into your security dashboard via API for trend analysis.

Collaboration and sharing

  • Store KBOM exports alongside application code or in an artifact registry.

  • Grant read-only access to auditors and security reviewers.

  • Embed KBOM checks in pull requests for on-the-spot feedback.

  • Host periodic KBOM review sessions with platform, security, and compliance teams.

wiz academy

Kubernetes Monitoring Tools and Best Practices to Know

Read more

Enhancing security with KBOM

Your KBOM isn't just a manifest—it's a live map you can query to lock down risks before they pop off. By building actionable checks around your KBOM, you turn it into a real-time security control.

Rapid vulnerability assessment

Use your KBOM to quickly find assets affected by new CVEs and start scans automatically:

  • Pull the latest CVE feed into your KBOM scanner on every build.

  • Automate a KBOM query that spits out affected components within minutes of a CVE release.

  • Tag high-priority services (such as control plane binaries) in your KBOM so scans focus on them.

  • Integrate with Kubernetes security tools to block deployments of vulnerable images at commit time.

Streamlined incident response

When a breach or misconfiguration surfaces, your KBOM lets you pinpoint root causes and remediate at light speed:

  • Query version and digest metadata in your KBOM to identify exactly which node or pod is compromised.

  • Auto-trigger rollback playbooks when a KBOM alert flags a bad digest, reverting to a safe version.

  • Enrich incident tickets with KBOM context—component owner, build date, image digest—for faster handoffs.

  • Compare pre- and post-incident KBOM snapshots to spot unauthorized drifts and prevent repeat incidents.

Strengthening supply chain integrity

Embed KBOM checks throughout your pipeline to catch rogue or unapproved components before they ever hit production:

  • Schedule KBOM regenerations after every Helm release and diff against the golden manifest to flag drifts.

  • Configure your GitOps pipeline to reject PRs that introduce components not listed in the KBOM.

  • Monitor artifact registries and update your KBOM automatically when new digests appear.

  • Set drift thresholds (such as minor version bumps) that trigger alerts if the KBOM isn't refreshed—keeping container security tightly enforced.

With Wiz, KBOM data becomes even more powerful. Wiz ingests Kubernetes configurations, infrastructure metadata, and runtime telemetry into its unified Security Graph—connecting CVEs, misconfigurations, and network exposure in real time. This enables teams to not only scan KBOMs but also correlate them to live attack paths and business-critical risks.

Wiz: From KBOM Visibility to Complete Kubernetes Security

Wiz begins by auto-generating a live Kubernetes Bill of Materials—instantly cataloging every control-plane binary, node component, CRD, and add-on with no agents to deploy. That KBOM feeds the Wiz Security Graph, which links each component to CVEs, misconfigurations, network exposure, and identity risk so you know exactly which vulnerable kubelets or plugins form real attack paths.

Beyond inventory, Wiz delivers full Kubernetes Security Posture Management: continuous CIS benchmark checks, drift detection for RBAC and admission-controller policies, and context-rich alerts when pod security settings or network policies weaken. Graph analytics highlight “toxic combinations” (e.g., an exposed API server plus an over-permissioned service account) while one-click fixes and IaC pull-request suggestions accelerate remediation.

Runtime signals complete the picture—Wiz correlates anomalous process activity, outbound connections, and container escapes back to the graph, giving you end-to-end detection and response without sidecars or kernel agents. See how KBOM visibility, posture management, and graph-driven risk prioritization come together in one platform—request a demo of Wiz for Kubernetes security.