Kubernetes
Kubernetes Queries List¶
This page contains all queries from Kubernetes.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Always Admit Admission Control Plugin Set ce30e584-b33f-4c7d-b418-a3d7027f8f60 |
High | Access Control | When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin | Documentation |
| Client Certificate Authentication Not Setup Properly e0e00aba-5f1c-4981-a542-9a9563c0ee20 |
High | Access Control | Client Certificate Authentication should be Setup with a .pem file | Documentation |
| Token Auth File Is Set 32ecd76e-7bbf-402e-bf48-8b9485749558 |
High | Access Control | When using kube-apiserver command, the 'token-auth-file' flag should not be set | Documentation |
| Service Account Lookup Set To False a5530bd7-225a-48f9-91bb-f40b04200165 |
High | Access Control | When using kube-apiserver command, the '--service-account-lookup' flag should be set to true | Documentation |
| Node Restriction Admission Control Plugin Not Set 33fc6923-6553-4fe6-9d3a-4efa51eb874b |
High | Access Control | When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Use Service Account Credentials Not Set To True 1acd93f1-5a37-45c0-aaac-82ece818be7d |
High | Access Control | When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true | Documentation |
| Basic Auth File Is Set 5da47109-f8d6-4585-9e2b-96a8958a12f5 |
High | Access Control | When using kube-apiserver command, the 'basic-auth-file' flag should not be set | Documentation |
| Pod Security Policy Admission Control Plugin Not Set afa36afb-39fe-4d94-b9b6-afb236f7a03d |
High | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Service Account Private Key File Not Defined ccc98ff7-68a7-436e-9218-185cb0b0b780 |
High | Encryption | When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined | Documentation |
| Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. | Documentation |
| Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
High | Insecure Configurations | Container should not share the host process ID namespace | Documentation |
| Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
High | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities | Documentation |
| Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false | Documentation |
| Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
High | Insecure Configurations | Container should not share the host network namespace | Documentation |
| PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process | Documentation |
| Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
High | Insecure Configurations | Container should not share the host IPC namespace | Documentation |
| Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
High | Insecure Configurations | Check if there is any Tiller Service present | Documentation |
| Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
High | Insecure Configurations | Check if any objects are using a deprecated version of API. | Documentation |
| Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
High | Networking and Firewall | Check if any Tiller Deployment container allows access from within the cluster. | Documentation |
| Insecure Bind Address Set b9380fd3-5ffe-4d10-9290-13e18e71eee1 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-bind-address' flag should not be set | Documentation |
| Secure Port Set To Zero 3d24b204-b73d-42cb-b0bf-1a5438c5f71e |
High | Networking and Firewall | When using kube-apiserver command, the --secure-port flag should not be 0 | Documentation |
| TSL Connection Certificate Not Setup fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f |
High | Networking and Firewall | TSL Connection Certificate files should be Setup | Documentation |
| Kubelet HTTPS Set To False cdc8b54e-6b16-4538-a1b0-35849dbe29cf |
High | Networking and Firewall | When using kube-apiserver command, the '--kubelet-https' flag should not be set to false | Documentation |
| Insecure Port Not Properly Set fa4def8c-1898-4a35-a139-7b76b1acdef0 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 | Documentation |
| Etcd Peer TLS Certificate Files Not Properly Set 09bb9e96-8da3-4736-b89a-b36814acca60 |
High | Networking and Firewall | When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined | Documentation |
| Bind Address Not Properly Set 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 |
High | Networking and Firewall | When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 | Documentation |
| Etcd TLS Certificate Files Not Properly Set 075ca296-6768-4322-aea2-ba5063b969a9 |
High | Networking and Firewall | When using etcd commands, the '--cert-file' and '--key-file' should be defined | Documentation |
| Etcd TLS Certificate Not Properly Configured 895a5a95-3756-4b04-9924-2f3bc93181bd |
High | Networking and Firewall | When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined | Documentation |
| PSP With Unrestricted Access to Host Path de4421f1-4e35-43b4-9783-737dd4e4a47e |
High | Resource Management | PodSecurityPolicy should set 'readOnly' to true in every host path allowed | Documentation |
| Peer Auto TLS Set To True ae8827e2-4af9-4baa-9998-87539ae0d6f0 |
High | Secret Management | When using etcd commands, the '--peer-auto-tls' should be set to false | Documentation |
| Auto TLS Set To True 98ce8b81-7707-4734-aa39-627c6db3d84b |
High | Secret Management | When using etcd commands, the '--auto-tls' should be set to false | Documentation |
| Service Account Admission Control Plugin Disabled 9587c890-0524-40c2-9ce2-663af7c2f063 |
Medium | Access Control | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin | Documentation |
| RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Medium | Access Control | Minimize access to secrets (RBAC) | Documentation |
| Authorization Mode Set To Always Allow f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 |
Medium | Access Control | When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode | Documentation |
| Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Anonymous Auth Is Not Set To False 1de5cc51-f376-4638-a940-20f2e85ae238 |
Medium | Access Control | When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) | Documentation |
| Authorization Mode RBAC Not Set 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e |
Medium | Access Control | When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode | Documentation |
| Request Timeout Not Properly Set d89a15bb-8dba-4c71-9529-bef6729b9c09 |
Medium | Availability | When using kube-apiserver command, the '--request-timeout' flag value should not be too long | Documentation |
| Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| Terminated Pod Garbage Collector Threshold Not Properly Set 49113af4-29ca-458e-b8d4-724c01a4a24f |
Medium | Availability | When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 | Documentation |
| Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Medium | Best Practices | Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise | Documentation |
| Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Medium | Best Practices | Check if containers are running with low UID, which might cause conflicts with the host's user table. | Documentation |
| Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
Medium | Build Process | Limit capabilities for a Pod Security Policy | Documentation |
| Always Pull Images Admission Control Plugin Not Set a77f4d07-c6e0-4a48-8b35-0eeb51576f4f |
Medium | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Medium | Build Process | Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| Encryption Provider Not Properly Configured 10efce34-5af6-4d83-b414-9e096d5a06a9 |
Medium | Encryption | The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider | Documentation |
| Weak TLS Cipher Suites 510d5810-9a30-443a-817d-5c1fa527b110 |
Medium | Encryption | TLS Connection should use strong Cipher Suites | Documentation |
| Encryption Provider Config Is Not Defined cbd2db69-0b21-4c14-8a40-7710a50571a9 |
Medium | Encryption | When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file | Documentation |
| Root CA File Not Defined 05fb986f-ac73-4ebb-a5b2-7faafa93d882 |
Medium | Encryption | When using kube-controller-manager commands, the '--root-ca-file' should be defined | Documentation |
| PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host process ID namespace | Documentation |
| Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Medium | Insecure Configurations | Containers should not have added capability | Documentation |
| Using Unrecommended Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Medium | Insecure Configurations | Namespaces like 'default', 'kube-system' or 'kube-public' should not be used | Documentation |
| PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| Authorization Mode Node Not Set 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 |
Medium | Insecure Configurations | When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode | Documentation |
| Not Limited Capabilities For Container 2f1a0619-b12b-48a0-825f-993bb6f01d58 |
Medium | Insecure Configurations | Limit the capabilities for a Container. | Documentation |
| Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Medium | Insecure Configurations | Check if any resource does not configure Seccomp default profile properly | Documentation |
| Security Context Deny Admission Control Plugin Not Set 6a68bebe-c021-492e-8ddb-55b0567fb768 |
Medium | Insecure Configurations | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set | Documentation |
| Kubelet Protect Kernel Defaults Set To False 6cf42c97-facd-4fda-b8af-ea4529123355 |
Medium | Insecure Configurations | --protect-kernel-defaults should be set to true | Documentation |
| PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Medium | Insecure Defaults | A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. | Documentation |
| Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| Kubelet Streaming Connection Timeout Disabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9 |
Medium | Networking and Firewall | The flag --streaming-connection-idle-timeout should not be set to 0 | Documentation |
| Service With External Load Balance 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Medium | Networking and Firewall | Check if any pod is not being targeted by a proper network policy. | Documentation |
| Kubelet Not Managing Ip Tables 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 |
Medium | Networking and Firewall | Kubelet argument --make-iptables-util-chains should be true | Documentation |
| Kubelet Read Only Port Is Not Set To Zero 2940d48a-dc5e-4178-a3f8-bfbd80720b41 |
Medium | Networking and Firewall | When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) | Documentation |
| Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Audit Policy File Not Defined 13a49a2e-488e-4309-a7c0-d6b05577a5fb |
Medium | Observability | When using kube-apiserver command, the '--audit-policy-file' flag should be defined | Documentation |
| Audit Log Path Not Set 73e251f0-363d-4e53-86e2-0a93592437eb |
Medium | Observability | When using kube-apiserver command, the 'audit-log-path' flag should be defined | Documentation |
| Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes | Documentation |
| Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
| CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| Etcd Peer Client Certificate Authentication Set To False b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff |
Medium | Secret Management | When using etcd commands, the '--peer-client-cert-auth' flag should be set to true | Documentation |
| Etcd Client Certificate File Not Defined 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 |
Medium | Secret Management | When using kube-apiserver commands, the '--etcd-cafile' flag should be defined | Documentation |
| ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Medium | Secret Management | Roles and ClusterRoles when binded, should not use get, list or watch as verbs | Documentation |
| Service Account Key File Not Properly Set dab4ec72-ce2e-4732-b7c3-1757dcce01a1 |
Medium | Secret Management | When using kube-apiserver command, the '--service-account-key-file' flag should be defined | Documentation |
| Kubelet Client Certificate Or Key Not Set 36a27826-1bf5-49da-aeb0-a60a30c0e834 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set | Documentation |
| Not Unique Certificate Authority cb7e695d-6a85-495c-b15f-23aed2519303 |
Medium | Secret Management | Certificate Authority should be unique for etcd | Documentation |
| Kubelet Client Periodic Certificate Switch Disabled 52d70f2e-3257-474c-b3dc-8ad9ba6a061a |
Medium | Secret Management | Kubelet argument --rotate-certificates should be true | Documentation |
| Etcd Client Certificate Authentication Set To False 9391103a-d8d7-4671-ac5d-606ba7ccb0ac |
Medium | Secret Management | When using etcd commands, the '--client-cert-auth' flag should be defined | Documentation |
| Rotate Kubelet Server Certificate Not Active 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 |
Medium | Secret Management | The RotateKubeletServerCertificate argument should be true | Documentation |
| Kubelet Certificate Authority Not Set ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set | Documentation |
| Missing AppArmor Profile 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Low | Access Control | Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources | Documentation |
| Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
Low | Access Control | Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions) | Documentation |
| Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Low | Availability | Check if the StatefulSets have a headless 'serviceName' | Documentation |
| HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Low | Availability | Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set | Documentation |
| StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| Event Rate Limit Admission Control Plugin Not Set e0099af2-fe17-411f-9991-0de28fe15f3c |
Low | Availability | When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Namespace Lifecycle Admission Control Plugin Disabled 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 |
Low | Build Process | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin | Documentation |
| Root Container Not Mounted Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Low | Build Process | Check if the root container filesystem is not being mounted read-only. | Documentation |
| StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| Image Policy Webhook Admission Control Plugin Not Set 14abda69-8e91-4acb-9931-76e2bee90284 |
Low | Build Process | When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Low | Insecure Configurations | If not needed, disabling the dashboard can prevent from being used as an attack vector | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Low | Insecure Configurations | Service should Target a Pod | Documentation |
| Pod or Container Without ResourceQuota 48a5beba-e4c0-4584-a2aa-e6894e4cf424 |
Low | Insecure Configurations | Pod or Container should have a ResourceQuota associated | Documentation |
| Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity | Documentation |
| Kubelet Hostname Override Is Set bf36b900-b5ef-4828-adb7-70eb543b7cfb |
Low | Insecure Configurations | Hostnames should not be overrided | Documentation |
| Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Pod or Container Without LimitRange 4a20ebac-1060-4c81-95d1-1f7f620e983b |
Low | Insecure Configurations | Pod or Container should have a LimitRange associated | Documentation |
| Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Audit Log Maxage Not Properly Set da9f3aa8-fbfb-472f-b5a1-576127944218 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days | Documentation |
| Audit Log Maxsize Not Properly Set 35c0a471-f7c8-4993-aa2c-503a3c712a66 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes | Documentation |
| Audit Log Maxbackup Not Properly Set 768aab52-2504-4a2f-a3e3-329d5a679848 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files | Documentation |
| Profiling Not Set To False 2f491173-6375-4a84-b28e-a4e2b9a58a69 |
Low | Observability | When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false | Documentation |
| Kubelet Event QPS Not Properly Set 1a07a446-8e61-4e4d-bc16-b0781fcb8211 |
Low | Observability | When using the kubelet command, the '--event-qps' should be set to 0 | Documentation |
| Audit Policy Not Cover Key Security Concerns 1828a670-5957-4bc5-9974-47da228f75e2 |
Low | Observability | Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies | Documentation |
| CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined | Documentation |
| Container CPU Requests Not Equal To It's Limits 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 |
Low | Resource Management | A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. | Documentation |
| StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Low | Resource Management | Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| Container Memory Requests Not Equal To It's Limits aafa7d94-62de-4fbf-8838-b69ee217b0e6 |
Low | Resource Management | A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. | Documentation |
| Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| Container Requests Not Equal To It's Limits aee3c7d2-a811-4201-90c7-11c028be9a46 |
Low | Resource Management | Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively | Documentation |
| Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image Tag 583053b7-e632-46f0-b989-f81ff8045385 |
Low | Supply-Chain | Image tag must be defined and not be empty or equal to latest. | Documentation |
| Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Info | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it | Documentation |