Skip to content

Kubernetes

Kubernetes Queries List

This page contains all queries from Kubernetes.

Query Severity Category Description Help
Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d
High Insecure Configurations Container should not share the host process ID namespace Documentation
Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032
High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54
High Insecure Configurations Containers should drop 'NET_RAW' or 'ALL' capabilities Documentation
Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad
High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined. Documentation
Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
High Insecure Configurations Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process Documentation
Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609
High Insecure Configurations Do not allow container to be privileged. Documentation
Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a
High Insecure Configurations Container should not share the host network namespace Documentation
Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536
High Insecure Configurations Container should not share the host IPC namespace Documentation
Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d
High Insecure Configurations Check if there is any Tiller Service present Documentation
PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b
High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa
High Insecure Configurations A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null. Documentation
Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d
High Insecure Configurations Check if Tiller is deployed. Documentation
Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645
High Insecure Configurations Check if any objects are using a deprecated version of API. Documentation
Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5
High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06
High Networking and Firewall Check if any Tiller Deployment container allows access from within the cluster. Documentation
PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e
High Resource Management PodSecurityPolicy should set 'readOnly' to true in every host path allowed Documentation
RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14
Medium Access Control Minimize access to secrets (RBAC) Documentation
Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91
Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3
Medium Availability Check if Readiness Probe is not configured. Documentation
Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441
Medium Availability Liveness Probe must be defined. Documentation
Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203
Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660
Medium Best Practices Check if containers are running with low UID, which might cause conflicts with the host's user table. Documentation
Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b
Medium Best Practices Minimize the admission of privileged resources Documentation
Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb
Medium Best Practices Check if containers are running as root unduly. Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9
Medium Build Process Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea
Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0
Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e
Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8
Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648
Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48
Medium Insecure Configurations Default service accounts should not be actively used Documentation
PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851
Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9
Medium Insecure Configurations Pod Security Policy allows containers to share the host process ID namespace Documentation
Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6
Medium Insecure Configurations Namespaces like 'default', 'kube-system' or 'kube-public' should not be used Documentation
Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3
Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b
Medium Insecure Configurations Check if any resource does not configure Seccomp default profile properly Documentation
Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58
Medium Insecure Configurations Limit the capabilities for a Container. Documentation
PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91
Medium Insecure Configurations Do not allow pod to request execution as privileged. Documentation
Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40
Medium Insecure Configurations Containers should not have added capability Documentation
Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b
Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9
Medium Insecure Defaults A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. Documentation
Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef
Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3
Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165
Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be
Medium Networking and Firewall Check if any pod is not being targeted by a proper network policy. Documentation
Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9
Medium Resource Management Memory limits should be specified Documentation
CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda
Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063
Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a
Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded
Medium Resource Management Memory requests should be specified Documentation
Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b
Medium Secret Management A Service Account token is shared between workloads Documentation
ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9
Medium Secret Management Roles and ClusterRoles when binded, should not use get, list or watch as verbs Documentation
Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f
Low Access Control Containers should be configured with AppArmor for any application to reduce its potential attack Documentation
Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11
Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e
Low Access Control Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions) Documentation
Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942
Low Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828
Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5
Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0
Low Availability Check if the StatefulSets have a headless 'serviceName' Documentation
Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678
Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca
Low Availability The Horizontal Pod Autoscale must target a valid object Documentation
HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b
Low Availability Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set Documentation
No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e
Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a
Low Best Practices Check if any label in the metadata is invalid. Documentation
Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0
Low Build Process Check if the root container filesystem is not being mounted as read-only. Documentation
StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2
Low Build Process A StatefulSet requests volume storage. Documentation
Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b
Low Insecure Configurations If not needed, disabling the dashboard can prevent from being used as an attack vector Documentation
Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729
Low Insecure Configurations Service should Target a Pod Documentation
Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2
Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678
Low Insecure Configurations Sees if Kubernetes image has digest on Documentation
Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995
Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b
Low Insecure Configurations Pod or Container should have a LimitRange associated Documentation
Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424
Low Insecure Configurations Pod or Container should have a ResourceQuota associated Documentation
Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633
Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2
Low Networking and Firewall Service type should not be NodePort Documentation
Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6
Low Resource Management A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. Documentation
StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e
Low Resource Management Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6
Low Resource Management A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. Documentation
CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3
Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined Documentation
Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46
Low Resource Management A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined. Documentation
Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a
Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e
Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image
583053b7-e632-46f0-b989-f81ff8045385
Low Supply-Chain Image must be defined and not be empty or equal to latest. Documentation