Skip to content

Kubernetes

Kubernetes Queries List

This page contains all queries from Kubernetes.

Query Severity Category Description Help
Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20
High Access Control Client Certificate Authentication should be Setup with a .pem or .crt file Documentation
Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5
High Access Control When using kube-apiserver command, the 'basic-auth-file' flag should not be set Documentation
Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d
High Access Control When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true Documentation
Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b
High Access Control When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558
High Access Control When using kube-apiserver command, the 'token-auth-file' flag should not be set Documentation
Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60
High Access Control When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin Documentation
RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e
High Access Control Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions Documentation
Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165
High Access Control When using kube-apiserver command, the '--service-account-lookup' flag should be set to true Documentation
Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d
High Build Process When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780
High Encryption When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined Documentation
Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032
High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d
High Insecure Configurations Container should not share the host process ID namespace Documentation
Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad
High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. Documentation
PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b
High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d
High Insecure Configurations Check if Tiller is deployed. Documentation
Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d
High Insecure Configurations Check if there is any Tiller Service present Documentation
NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54
High Insecure Configurations Containers should drop 'ALL' or at least 'NET_RAW' capabilities Documentation
Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645
High Insecure Configurations Check if any objects are using a deprecated version of API. Documentation
Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
High Insecure Configurations Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process Documentation
Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609
High Insecure Configurations Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false Documentation
Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5
High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd
High Networking and Firewall When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined Documentation
Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0
High Networking and Firewall When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 Documentation
Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60
High Networking and Firewall When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined Documentation
Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9
High Networking and Firewall When using etcd commands, the '--cert-file' and '--key-file' should be defined Documentation
TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f
High Networking and Firewall TSL Connection Certificate files should be Setup Documentation
Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1
High Networking and Firewall When using kube-apiserver command, the '--insecure-bind-address' flag should not be set Documentation
Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2
High Networking and Firewall When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 Documentation
Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e
High Networking and Firewall When using kube-apiserver command, the --secure-port flag should not be 0 Documentation
Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06
High Networking and Firewall Check if any Tiller Deployment container allows access from within the cluster. Documentation
Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf
High Networking and Firewall When using kube-apiserver command, the '--kubelet-https' flag should not be set to false Documentation
PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e
High Resource Management PodSecurityPolicy should set 'readOnly' to true in every host path allowed Documentation
Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b
High Secret Management When using etcd commands, the '--auto-tls' should be set to false Documentation
Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0
High Secret Management When using etcd commands, the '--peer-auto-tls' should be set to false Documentation
Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5
Medium Access Control When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode Documentation
RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc
Medium Access Control Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments Documentation
RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84
Medium Access Control Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments Documentation
RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980
Medium Access Control Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation Documentation
Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063
Medium Access Control When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin Documentation
Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91
Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14
Medium Access Control Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys Documentation
Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238
Medium Access Control When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) Documentation
Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942
Medium Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e
Medium Access Control When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode Documentation
RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb
Medium Access Control Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions Documentation
RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432
Medium Access Control Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges Documentation
Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f
Medium Availability When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 Documentation
Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3
Medium Availability Check if Readiness Probe is not configured. Documentation
Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09
Medium Availability When using kube-apiserver command, the '--request-timeout' flag value should not be too long Documentation
Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660
Medium Best Practices Check if containers are running with low UID, which might cause conflicts with the host's user table. Documentation
Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb
Medium Best Practices Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise Documentation
Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203
Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9
Medium Build Process Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f
Medium Build Process When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9
Medium Encryption When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file Documentation
Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110
Medium Encryption TLS Connection should use strong Cipher Suites Documentation
Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882
Medium Encryption When using kube-controller-manager commands, the '--root-ca-file' should be defined Documentation
Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9
Medium Encryption The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider Documentation
Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e
Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8
Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b
Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648
Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91
Medium Insecure Configurations Do not allow pod to request execution as privileged. Documentation
PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea
Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40
Medium Insecure Configurations Containers should not have extra capabilities allowed Documentation
Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768
Medium Insecure Configurations When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set Documentation
Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b
Medium Insecure Configurations Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls Documentation
Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6
Medium Insecure Configurations Namespaces like 'default', 'kube-system' or 'kube-public' should not be used Documentation
Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355
Medium Insecure Configurations --protect-kernel-defaults should be set to true Documentation
Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0
Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3
Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851
Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58
Medium Insecure Configurations Limit the capabilities for a Container. Documentation
PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9
Medium Insecure Configurations Pod Security Policy allows containers to share the host process ID namespace Documentation
Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1
Medium Insecure Configurations When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode Documentation
Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef
Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9
Medium Insecure Defaults A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. Documentation
Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9
Medium Networking and Firewall The flag --streaming-connection-idle-timeout should not be set to 0 Documentation
CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23
Medium Networking and Firewall Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster Documentation
Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41
Medium Networking and Firewall When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) Documentation
Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be
Medium Networking and Firewall Check if any pod is not being targeted by a proper network policy. Documentation
Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3
Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165
Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4
Medium Networking and Firewall Kubelet argument --make-iptables-util-chains should be true Documentation
Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb
Medium Observability When using kube-apiserver command, the 'audit-log-path' flag should be defined Documentation
Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb
Medium Observability When using kube-apiserver command, the '--audit-policy-file' flag should be defined Documentation
Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory Documentation
CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a
Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536
Medium Resource Management Container should not share the host IPC namespace Documentation
Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded
Medium Resource Management Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes Documentation
CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda
Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a
Medium Resource Management Container should not share the host network namespace Documentation
Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063
Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834
Medium Secret Management When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set Documentation
Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20
Medium Secret Management When using kube-apiserver commands, the '--etcd-cafile' flag should be defined Documentation
Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0
Medium Secret Management When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set Documentation
Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b
Medium Secret Management A Service Account token is shared between workloads Documentation
Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff
Medium Secret Management When using etcd commands, the '--peer-client-cert-auth' flag should be set to true Documentation
ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9
Medium Secret Management Roles and ClusterRoles when binded, should not use get, list or watch as verbs Documentation
Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac
Medium Secret Management When using etcd commands, the '--client-cert-auth' flag should be defined Documentation
Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1
Medium Secret Management When using kube-apiserver command, the '--service-account-key-file' flag should be defined Documentation
Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303
Medium Secret Management Certificate Authority should be unique for etcd Documentation
Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2
Medium Secret Management The RotateKubeletServerCertificate argument should be true Documentation
Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a
Medium Secret Management Kubelet argument --rotate-certificates should be true Documentation
Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f
Low Access Control Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources Documentation
Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828
Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11
Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678
Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441
Low Availability In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it Documentation
HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca
Low Availability The Horizontal Pod Autoscale must target a valid object Documentation
Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c
Low Availability When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5
Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0
Low Availability StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. Documentation
HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b
Low Availability Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set Documentation
Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a
Low Best Practices Check if any label in the metadata is invalid. Documentation
No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e
Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0
Low Build Process Check if the root container filesystem is not being mounted read-only. Documentation
Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37
Low Build Process When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin Documentation
Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284
Low Build Process When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2
Low Build Process A StatefulSet requests volume storage. Documentation
Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424
Low Insecure Configurations Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume Documentation
Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb
Low Insecure Configurations Hostnames should not be overrided Documentation
Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b
Low Insecure Configurations If not needed, disabling the dashboard can prevent from being used as an attack vector Documentation
Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729
Low Insecure Configurations Service should Target a Pod Documentation
Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995
Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b
Low Insecure Configurations Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries Documentation
Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2
Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678
Low Insecure Configurations Images should be specified together with their digests to ensure integrity Documentation
Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2
Low Networking and Firewall Service type should not be NodePort Documentation
Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633
Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66
Low Observability When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes Documentation
Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848
Low Observability When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files Documentation
Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211
Low Observability When using the kubelet command, the '--event-qps' should be set to 0 Documentation
Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69
Low Observability When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false Documentation
Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2
Low Observability Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies Documentation
Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218
Low Observability When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days Documentation
Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46
Low Resource Management Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively Documentation
Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6
Low Resource Management A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. Documentation
Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6
Low Resource Management A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. Documentation
StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e
Low Resource Management Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a
Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3
Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined Documentation
Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e
Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385
Low Supply-Chain Image tag must be defined and not be empty or equal to latest. Documentation
Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66
Info Access Control As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. Documentation
Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37
Info Secret Management Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited Documentation