Kubernetes
Kubernetes Queries List¶
This page contains all queries from Kubernetes.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Client Certificate Authentication Not Setup Properly e0e00aba-5f1c-4981-a542-9a9563c0ee20 |
High | Access Control | Client Certificate Authentication should be Setup with a .pem or .crt file | Documentation |
| Basic Auth File Is Set 5da47109-f8d6-4585-9e2b-96a8958a12f5 |
High | Access Control | When using kube-apiserver command, the 'basic-auth-file' flag should not be set | Documentation |
| Use Service Account Credentials Not Set To True 1acd93f1-5a37-45c0-aaac-82ece818be7d |
High | Access Control | When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true | Documentation |
| Node Restriction Admission Control Plugin Not Set 33fc6923-6553-4fe6-9d3a-4efa51eb874b |
High | Access Control | When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Token Auth File Is Set 32ecd76e-7bbf-402e-bf48-8b9485749558 |
High | Access Control | When using kube-apiserver command, the 'token-auth-file' flag should not be set | Documentation |
| Always Admit Admission Control Plugin Set ce30e584-b33f-4c7d-b418-a3d7027f8f60 |
High | Access Control | When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin | Documentation |
| RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
High | Access Control | Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions | Documentation |
| Service Account Lookup Set To False a5530bd7-225a-48f9-91bb-f40b04200165 |
High | Access Control | When using kube-apiserver command, the '--service-account-lookup' flag should be set to true | Documentation |
| Pod Security Policy Admission Control Plugin Not Set afa36afb-39fe-4d94-b9b6-afb236f7a03d |
High | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Service Account Private Key File Not Defined ccc98ff7-68a7-436e-9218-185cb0b0b780 |
High | Encryption | When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined | Documentation |
| Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
High | Insecure Configurations | Limit capabilities for a Pod Security Policy | Documentation |
| Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
High | Insecure Configurations | Container should not share the host process ID namespace | Documentation |
| Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. | Documentation |
| PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
High | Insecure Configurations | Check if there is any Tiller Service present | Documentation |
| NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
High | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities | Documentation |
| Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
High | Insecure Configurations | Check if any objects are using a deprecated version of API. | Documentation |
| Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process | Documentation |
| Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false | Documentation |
| Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Etcd TLS Certificate Not Properly Configured 895a5a95-3756-4b04-9924-2f3bc93181bd |
High | Networking and Firewall | When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined | Documentation |
| Insecure Port Not Properly Set fa4def8c-1898-4a35-a139-7b76b1acdef0 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 | Documentation |
| Etcd Peer TLS Certificate Files Not Properly Set 09bb9e96-8da3-4736-b89a-b36814acca60 |
High | Networking and Firewall | When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined | Documentation |
| Etcd TLS Certificate Files Not Properly Set 075ca296-6768-4322-aea2-ba5063b969a9 |
High | Networking and Firewall | When using etcd commands, the '--cert-file' and '--key-file' should be defined | Documentation |
| TSL Connection Certificate Not Setup fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f |
High | Networking and Firewall | TSL Connection Certificate files should be Setup | Documentation |
| Insecure Bind Address Set b9380fd3-5ffe-4d10-9290-13e18e71eee1 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-bind-address' flag should not be set | Documentation |
| Bind Address Not Properly Set 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 |
High | Networking and Firewall | When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 | Documentation |
| Secure Port Set To Zero 3d24b204-b73d-42cb-b0bf-1a5438c5f71e |
High | Networking and Firewall | When using kube-apiserver command, the --secure-port flag should not be 0 | Documentation |
| Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
High | Networking and Firewall | Check if any Tiller Deployment container allows access from within the cluster. | Documentation |
| Kubelet HTTPS Set To False cdc8b54e-6b16-4538-a1b0-35849dbe29cf |
High | Networking and Firewall | When using kube-apiserver command, the '--kubelet-https' flag should not be set to false | Documentation |
| PSP With Unrestricted Access to Host Path de4421f1-4e35-43b4-9783-737dd4e4a47e |
High | Resource Management | PodSecurityPolicy should set 'readOnly' to true in every host path allowed | Documentation |
| Auto TLS Set To True 98ce8b81-7707-4734-aa39-627c6db3d84b |
High | Secret Management | When using etcd commands, the '--auto-tls' should be set to false | Documentation |
| Peer Auto TLS Set To True ae8827e2-4af9-4baa-9998-87539ae0d6f0 |
High | Secret Management | When using etcd commands, the '--peer-auto-tls' should be set to false | Documentation |
| Authorization Mode Set To Always Allow f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 |
Medium | Access Control | When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode | Documentation |
| RBAC Roles with Exec Permission c589f42c-7924-4871-aee2-1cede9bc7cbc |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments | Documentation |
| RBAC Roles with Attach Permission d45330fd-f58d-45fb-a682-6481477a0f84 |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments | Documentation |
| RBAC Roles with Impersonate Permission 9f85c3f6-26fd-4007-938a-2e0cb0100980 |
Medium | Access Control | Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation | Documentation |
| Service Account Admission Control Plugin Disabled 9587c890-0524-40c2-9ce2-663af7c2f063 |
Medium | Access Control | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin | Documentation |
| Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Medium | Access Control | Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys | Documentation |
| Anonymous Auth Is Not Set To False 1de5cc51-f376-4638-a940-20f2e85ae238 |
Medium | Access Control | When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) | Documentation |
| Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Authorization Mode RBAC Not Set 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e |
Medium | Access Control | When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode | Documentation |
| RBAC Roles with Port-Forwarding Permission 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions | Documentation |
| RBAC Roles Allow Privilege Escalation 8320826e-7a9c-4b0b-9535-578333193432 |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges | Documentation |
| Terminated Pod Garbage Collector Threshold Not Properly Set 49113af4-29ca-458e-b8d4-724c01a4a24f |
Medium | Availability | When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 | Documentation |
| Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| Request Timeout Not Properly Set d89a15bb-8dba-4c71-9529-bef6729b9c09 |
Medium | Availability | When using kube-apiserver command, the '--request-timeout' flag value should not be too long | Documentation |
| Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Medium | Best Practices | Check if containers are running with low UID, which might cause conflicts with the host's user table. | Documentation |
| Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Medium | Best Practices | Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise | Documentation |
| Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| Always Pull Images Admission Control Plugin Not Set a77f4d07-c6e0-4a48-8b35-0eeb51576f4f |
Medium | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Encryption Provider Config Is Not Defined cbd2db69-0b21-4c14-8a40-7710a50571a9 |
Medium | Encryption | When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file | Documentation |
| Weak TLS Cipher Suites 510d5810-9a30-443a-817d-5c1fa527b110 |
Medium | Encryption | TLS Connection should use strong Cipher Suites | Documentation |
| Root CA File Not Defined 05fb986f-ac73-4ebb-a5b2-7faafa93d882 |
Medium | Encryption | When using kube-controller-manager commands, the '--root-ca-file' should be defined | Documentation |
| Encryption Provider Not Properly Configured 10efce34-5af6-4d83-b414-9e096d5a06a9 |
Medium | Encryption | The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider | Documentation |
| Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Medium | Insecure Configurations | Containers should not have extra capabilities allowed | Documentation |
| Security Context Deny Admission Control Plugin Not Set 6a68bebe-c021-492e-8ddb-55b0567fb768 |
Medium | Insecure Configurations | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set | Documentation |
| Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Medium | Insecure Configurations | Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls | Documentation |
| Using Unrecommended Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Medium | Insecure Configurations | Namespaces like 'default', 'kube-system' or 'kube-public' should not be used | Documentation |
| Kubelet Protect Kernel Defaults Set To False 6cf42c97-facd-4fda-b8af-ea4529123355 |
Medium | Insecure Configurations | --protect-kernel-defaults should be set to true | Documentation |
| Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| Not Limited Capabilities For Container 2f1a0619-b12b-48a0-825f-993bb6f01d58 |
Medium | Insecure Configurations | Limit the capabilities for a Container. | Documentation |
| PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host process ID namespace | Documentation |
| Authorization Mode Node Not Set 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 |
Medium | Insecure Configurations | When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode | Documentation |
| Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. | Documentation |
| Kubelet Streaming Connection Timeout Disabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9 |
Medium | Networking and Firewall | The flag --streaming-connection-idle-timeout should not be set to 0 | Documentation |
| CNI Plugin Does Not Support Network Policies 03aabc8c-35d6-481e-9c85-20139cf72d23 |
Medium | Networking and Firewall | Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster | Documentation |
| Kubelet Read Only Port Is Not Set To Zero 2940d48a-dc5e-4178-a3f8-bfbd80720b41 |
Medium | Networking and Firewall | When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) | Documentation |
| Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Medium | Networking and Firewall | Check if any pod is not being targeted by a proper network policy. | Documentation |
| Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Service With External Load Balance 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Kubelet Not Managing Ip Tables 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 |
Medium | Networking and Firewall | Kubelet argument --make-iptables-util-chains should be true | Documentation |
| Audit Log Path Not Set 73e251f0-363d-4e53-86e2-0a93592437eb |
Medium | Observability | When using kube-apiserver command, the 'audit-log-path' flag should be defined | Documentation |
| Audit Policy File Not Defined 13a49a2e-488e-4309-a7c0-d6b05577a5fb |
Medium | Observability | When using kube-apiserver command, the '--audit-policy-file' flag should be defined | Documentation |
| Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
| CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
Medium | Resource Management | Container should not share the host IPC namespace | Documentation |
| Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes | Documentation |
| CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
Medium | Resource Management | Container should not share the host network namespace | Documentation |
| Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Kubelet Client Certificate Or Key Not Set 36a27826-1bf5-49da-aeb0-a60a30c0e834 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set | Documentation |
| Etcd Client Certificate File Not Defined 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 |
Medium | Secret Management | When using kube-apiserver commands, the '--etcd-cafile' flag should be defined | Documentation |
| Kubelet Certificate Authority Not Set ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set | Documentation |
| Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| Etcd Peer Client Certificate Authentication Set To False b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff |
Medium | Secret Management | When using etcd commands, the '--peer-client-cert-auth' flag should be set to true | Documentation |
| ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Medium | Secret Management | Roles and ClusterRoles when binded, should not use get, list or watch as verbs | Documentation |
| Etcd Client Certificate Authentication Set To False 9391103a-d8d7-4671-ac5d-606ba7ccb0ac |
Medium | Secret Management | When using etcd commands, the '--client-cert-auth' flag should be defined | Documentation |
| Service Account Key File Not Properly Set dab4ec72-ce2e-4732-b7c3-1757dcce01a1 |
Medium | Secret Management | When using kube-apiserver command, the '--service-account-key-file' flag should be defined | Documentation |
| Not Unique Certificate Authority cb7e695d-6a85-495c-b15f-23aed2519303 |
Medium | Secret Management | Certificate Authority should be unique for etcd | Documentation |
| Rotate Kubelet Server Certificate Not Active 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 |
Medium | Secret Management | The RotateKubeletServerCertificate argument should be true | Documentation |
| Kubelet Client Periodic Certificate Switch Disabled 52d70f2e-3257-474c-b3dc-8ad9ba6a061a |
Medium | Secret Management | Kubelet argument --rotate-certificates should be true | Documentation |
| Missing AppArmor Profile 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Low | Access Control | Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources | Documentation |
| Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Low | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it | Documentation |
| HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| Event Rate Limit Admission Control Plugin Not Set e0099af2-fe17-411f-9991-0de28fe15f3c |
Low | Availability | When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Low | Availability | StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. | Documentation |
| HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Low | Availability | Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set | Documentation |
| Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Root Container Not Mounted Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Low | Build Process | Check if the root container filesystem is not being mounted read-only. | Documentation |
| Namespace Lifecycle Admission Control Plugin Disabled 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 |
Low | Build Process | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin | Documentation |
| Image Policy Webhook Admission Control Plugin Not Set 14abda69-8e91-4acb-9931-76e2bee90284 |
Low | Build Process | When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| Pod or Container Without ResourceQuota 48a5beba-e4c0-4584-a2aa-e6894e4cf424 |
Low | Insecure Configurations | Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume | Documentation |
| Kubelet Hostname Override Is Set bf36b900-b5ef-4828-adb7-70eb543b7cfb |
Low | Insecure Configurations | Hostnames should not be overrided | Documentation |
| Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Low | Insecure Configurations | If not needed, disabling the dashboard can prevent from being used as an attack vector | Documentation |
| Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Low | Insecure Configurations | Service should Target a Pod | Documentation |
| Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Pod or Container Without LimitRange 4a20ebac-1060-4c81-95d1-1f7f620e983b |
Low | Insecure Configurations | Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity | Documentation |
| Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Audit Log Maxsize Not Properly Set 35c0a471-f7c8-4993-aa2c-503a3c712a66 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes | Documentation |
| Audit Log Maxbackup Not Properly Set 768aab52-2504-4a2f-a3e3-329d5a679848 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files | Documentation |
| Kubelet Event QPS Not Properly Set 1a07a446-8e61-4e4d-bc16-b0781fcb8211 |
Low | Observability | When using the kubelet command, the '--event-qps' should be set to 0 | Documentation |
| Profiling Not Set To False 2f491173-6375-4a84-b28e-a4e2b9a58a69 |
Low | Observability | When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false | Documentation |
| Audit Policy Not Cover Key Security Concerns 1828a670-5957-4bc5-9974-47da228f75e2 |
Low | Observability | Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies | Documentation |
| Audit Log Maxage Not Properly Set da9f3aa8-fbfb-472f-b5a1-576127944218 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days | Documentation |
| Container Requests Not Equal To It's Limits aee3c7d2-a811-4201-90c7-11c028be9a46 |
Low | Resource Management | Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively | Documentation |
| Container CPU Requests Not Equal To It's Limits 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 |
Low | Resource Management | A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. | Documentation |
| Container Memory Requests Not Equal To It's Limits aafa7d94-62de-4fbf-8838-b69ee217b0e6 |
Low | Resource Management | A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. | Documentation |
| StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Low | Resource Management | Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined | Documentation |
| Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image Tag 583053b7-e632-46f0-b989-f81ff8045385 |
Low | Supply-Chain | Image tag must be defined and not be empty or equal to latest. | Documentation |
| Ensure Administrative Boundaries Between Resources e84eaf4d-2f45-47b2-abe8-e581b06deb66 |
Info | Access Control | As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. | Documentation |
| Using Kubernetes Native Secret Management b9c83569-459b-4110-8f79-6305aa33cb37 |
Info | Secret Management | Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited | Documentation |