Kubernetes Queries List¶
This page contains all queries from Kubernetes.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
High | Insecure Configurations | Check if any objects are using a deprecated version of API. | Documentation |
| Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
High | Insecure Configurations | Container should not share the host network namespace | Documentation |
| Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
High | Insecure Configurations | Do not allow container to be privileged. | Documentation |
| Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
High | Insecure Configurations | Check if there is any Tiller Service present | Documentation |
| Host Aliases Undefined Or Empty 72b03514-20ae-4409-8842-2dd70c2e25aa |
High | Insecure Configurations | A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null. | Documentation |
| Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
High | Insecure Configurations | Limit capabilities for a Pod Security Policy | Documentation |
| Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
High | Insecure Configurations | Container should not share the host IPC namespace | Documentation |
| Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined. | Documentation |
| PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
High | Insecure Configurations | Containers should drop 'NET_RAW' or 'ALL' capabilities | Documentation |
| Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process | Documentation |
| Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
High | Insecure Configurations | Container should not share the host process ID namespace | Documentation |
| Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
High | Networking and Firewall | Check if any Tiller Deployment container allows access from within the cluster. | Documentation |
| RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Medium | Access Control | Minimize access to secrets (RBAC) | Documentation |
| Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Medium | Availability | Liveness Probe must be defined. | Documentation |
| Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Medium | Best Practices | Check if containers are running as root unduly. | Documentation |
| Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Medium | Best Practices | Check if containers are running with low UID, which might cause conflicts with the host's user table. | Documentation |
| Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Resource With Allow Privilege Escalation 0a7c420c-4568-4cec-ba36-4d42a6f9613b |
Medium | Best Practices | Minimize the admission of privileged resources | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Medium | Build Process | Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host process ID namespace | Documentation |
| Not Limited Capabilities For Container 2f1a0619-b12b-48a0-825f-993bb6f01d58 |
Medium | Insecure Configurations | Limit the capabilities for a Container. | Documentation |
| Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Medium | Insecure Configurations | Containers should not have added capability | Documentation |
| PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Medium | Insecure Configurations | Check if any resource does not configure Seccomp default profile properly | Documentation |
| PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| Using Default Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Medium | Insecure Configurations | The default namespace should not be used | Documentation |
| Default Service Account In Use b93e973e-9066-4455-a63b-c1c0e1ec3a48 |
Medium | Insecure Configurations | Default service accounts should not be actively used | Documentation |
| Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Medium | Insecure Defaults | A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. | Documentation |
| Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Medium | Networking and Firewall | Check if any pod is not being targeted by a proper network policy. | Documentation |
| Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Service With External Load Balance 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Medium | Resource Management | Memory limits should be specified | Documentation |
| CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Medium | Resource Management | Memory requests should be specified | Documentation |
| CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Medium | Secret Management | Roles and ClusterRoles when binded, should not use get, list or watch as verbs | Documentation |
| Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Low | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Missing App Armor Config 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Low | Access Control | Containers should be configured with AppArmor for any application to reduce its potential attack | Documentation |
| RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
Low | Access Control | Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions) | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Low | Availability | Check if the StatefulSets have a headless 'serviceName' | Documentation |
| HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Low | Availability | Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set | Documentation |
| HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Root Container Not Mounted As Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Low | Build Process | Check if the root container filesystem is not being mounted as read-only. | Documentation |
| StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Low | Insecure Configurations | Sees if Kubernetes image has digest on | Documentation |
| Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Low | Insecure Configurations | Service should Target a Pod | Documentation |
| Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Low | Insecure Configurations | If not needed, disabling the dashboard can prevent from being used as an attack vector | Documentation |
| Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Container Requests Not Equal To It's Limits aee3c7d2-a811-4201-90c7-11c028be9a46 |
Low | Resource Management | A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined. | Documentation |
| Container Memory Requests Not Equal To It's Limits aafa7d94-62de-4fbf-8838-b69ee217b0e6 |
Low | Resource Management | A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. | Documentation |
| StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Low | Resource Management | Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined | Documentation |
| Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| Container CPU Requests Not Equal To It's Limits 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 |
Low | Resource Management | A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. | Documentation |
| Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image 583053b7-e632-46f0-b989-f81ff8045385 |
Low | Supply-Chain | Image must be defined and not be empty or equal to latest. | Documentation |