Kubernetes Queries List

This page contains all queries from Kubernetes.

Node Restriction Admission Control Plugin Not Set
High Access Control When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Token Auth File Is Set
High Access Control When using kube-apiserver command, the 'token-auth-file' flag should not be set Documentation
Service Account Lookup Set To False
High Access Control When using kube-apiserver command, the '--service-account-lookup' flag should be set to true Documentation
Use Service Account Credentials Not Set To True
High Access Control When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true Documentation
Basic Auth File Is Set
High Access Control When using kube-apiserver command, the 'basic-auth-file' flag should not be set Documentation
Client Certificate Authentication Not Setup Properly
High Access Control Client Certificate Authentication should be Setup with a .pem or .crt file Documentation
Always Admit Admission Control Plugin Set
High Access Control When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin Documentation
RBAC Wildcard In Rule
High Access Control Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions Documentation
Pod Security Policy Admission Control Plugin Not Set
High Build Process When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Service Account Private Key File Not Defined
High Encryption When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined Documentation
Tiller Service Is Not Deleted
High Insecure Configurations Check if there is any Tiller Service present Documentation
Cluster Allows Unsafe Sysctls
High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. Documentation
PSP Allows Containers To Share The Host Network Namespace
High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Shared Host PID Namespace
High Insecure Configurations Container should not share the host process ID namespace Documentation
Not Limited Capabilities For Pod Security Policy
High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
Privilege Escalation Allowed
High Insecure Configurations Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process Documentation
Container Is Privileged
High Insecure Configurations Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false Documentation
Tiller (Helm v2) Is Deployed
High Insecure Configurations Check if Tiller is deployed. Documentation
Role Binding To Default Service Account
High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Kubelet HTTPS Set To False
High Networking and Firewall When using kube-apiserver command, the '--kubelet-https' flag should not be set to false Documentation
Secure Port Set To Zero
High Networking and Firewall When using kube-apiserver command, the --secure-port flag should not be 0 Documentation
Insecure Port Not Properly Set
High Networking and Firewall When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 Documentation
Etcd Peer TLS Certificate Files Not Properly Set
High Networking and Firewall When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined Documentation
Etcd TLS Certificate Not Properly Configured
High Networking and Firewall When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined Documentation
Etcd TLS Certificate Files Not Properly Set
High Networking and Firewall When using etcd commands, the '--cert-file' and '--key-file' should be defined Documentation
Tiller Deployment Is Accessible From Within The Cluster
High Networking and Firewall Check if any Tiller Deployment container allows access from within the cluster. Documentation
TSL Connection Certificate Not Setup
High Networking and Firewall TSL Connection Certificate files should be Setup Documentation
Bind Address Not Properly Set
High Networking and Firewall When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to Documentation
Insecure Bind Address Set
High Networking and Firewall When using kube-apiserver command, the '--insecure-bind-address' flag should not be set Documentation
PSP With Unrestricted Access to Host Path
High Resource Management PodSecurityPolicy should set 'readOnly' to true in every host path allowed Documentation
Auto TLS Set To True
High Secret Management When using etcd commands, the '--auto-tls' should be set to false Documentation
Peer Auto TLS Set To True
High Secret Management When using etcd commands, the '--peer-auto-tls' should be set to false Documentation
RBAC Roles with Impersonate Permission
Medium Access Control Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation Documentation
RBAC Roles with Read Secrets Permissions
Medium Access Control Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys Documentation
RBAC Roles with Port-Forwarding Permission
Medium Access Control Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions Documentation
Permissive Access to Create Pods
Medium Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Service Account Admission Control Plugin Disabled
Medium Access Control When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin Documentation
Authorization Mode RBAC Not Set
Medium Access Control When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode Documentation
Authorization Mode Set To Always Allow
Medium Access Control When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode Documentation
RBAC Roles Allow Privilege Escalation
Medium Access Control Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges Documentation
RBAC Roles with Exec Permission
Medium Access Control Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments Documentation
Anonymous Auth Is Not Set To False
Medium Access Control When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) Documentation
RBAC Roles with Attach Permission
Medium Access Control Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments Documentation
Non Kube System Pod With Host Mount
Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
Readiness Probe Is Not Configured
Medium Availability Check if Readiness Probe is not configured. Documentation
Request Timeout Not Properly Set
Medium Availability When using kube-apiserver command, the '--request-timeout' flag value should not be too long Documentation
Terminated Pod Garbage Collector Threshold Not Properly Set
Medium Availability When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 Documentation
Container Running As Root
Medium Best Practices Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise Documentation
Container Running With Low UID
Medium Best Practices Check if containers are running with low UID, which might cause conflicts with the host's user table. Documentation
Root Containers Admitted
Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Always Pull Images Admission Control Plugin Not Set
Medium Build Process When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
Medium Build Process Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
Weak TLS Cipher Suites
Medium Encryption TLS Connection should use strong Cipher Suites Documentation
Encryption Provider Config Is Not Defined
Medium Encryption When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file Documentation
Encryption Provider Not Properly Configured
Medium Encryption The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider Documentation
Root CA File Not Defined
Medium Encryption When using kube-controller-manager commands, the '--root-ca-file' should be defined Documentation
PSP With Added Capabilities
Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
NET_RAW Capabilities Not Being Dropped
Medium Insecure Configurations Containers should drop 'ALL' or at least 'NET_RAW' capabilities Documentation
Containers With Sys Admin Capabilities
Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
PSP Allows Sharing Host IPC
Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
Not Limited Capabilities For Container
Medium Insecure Configurations Limit the capabilities for a Container. Documentation
Workload Mounting With Sensitive OS Directory
Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
PSP Set To Privileged
Medium Insecure Configurations Do not allow pod to request execution as privileged. Documentation
Ingress Controller Exposes Workload
Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
Containers With Added Capabilities
Medium Insecure Configurations Containers should not have extra capabilities allowed Documentation
PSP Allows Privilege Escalation
Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
Security Context Deny Admission Control Plugin Not Set
Medium Insecure Configurations When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set Documentation
Seccomp Profile Is Not Configured
Medium Insecure Configurations Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls Documentation
Using Unrecommended Namespace
Medium Insecure Configurations Namespaces like 'default', 'kube-system' or 'kube-public' should not be used Documentation
PSP Allows Sharing Host PID
Medium Insecure Configurations Pod Security Policy allows containers to share the host process ID namespace Documentation
Authorization Mode Node Not Set
Medium Insecure Configurations When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode Documentation
Kubelet Protect Kernel Defaults Set To False
Medium Insecure Configurations --protect-kernel-defaults should be set to true Documentation
NET_RAW Capabilities Disabled for PSP
Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
Container Runs Unmasked
Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
Service Account Token Automount Not Disabled
Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
Service Account Name Undefined Or Empty
Medium Insecure Defaults A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. Documentation
Kubelet Not Managing Ip Tables
Medium Networking and Firewall Kubelet argument --make-iptables-util-chains should be true Documentation
Kubelet Streaming Connection Timeout Disabled
Medium Networking and Firewall The flag --streaming-connection-idle-timeout should not be set to 0 Documentation
Pod Misconfigured Network Policy
Medium Networking and Firewall Check if any pod is not being targeted by a proper network policy. Documentation
Network Policy Is Not Targeting Any Pod
Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
Service With External Load Balancer
Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Kubelet Read Only Port Is Not Set To Zero
Medium Networking and Firewall When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) Documentation
CNI Plugin Does Not Support Network Policies
Medium Networking and Firewall Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster Documentation
Audit Log Path Not Set
Medium Observability When using kube-apiserver command, the 'audit-log-path' flag should be defined Documentation
Audit Policy File Not Defined
Medium Observability When using kube-apiserver command, the '--audit-policy-file' flag should be defined Documentation
CPU Limits Not Set
Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
Shared Host Network Namespace
Medium Resource Management Container should not share the host network namespace Documentation
Memory Limits Not Defined
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory Documentation
CPU Requests Not Set
Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Volume Mount With OS Directory Write Permissions
Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
Shared Host IPC Namespace
Medium Resource Management Container should not share the host IPC namespace Documentation
Memory Requests Not Defined
Medium Resource Management Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes Documentation
Etcd Client Certificate File Not Defined
Medium Secret Management When using kube-apiserver commands, the '--etcd-cafile' flag should be defined Documentation
ServiceAccount Allows Access Secrets
Medium Secret Management Roles and ClusterRoles when binded, should not use get, list or watch as verbs Documentation
Kubelet Certificate Authority Not Set
Medium Secret Management When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set Documentation
Not Unique Certificate Authority
Medium Secret Management Certificate Authority should be unique for etcd Documentation
Service Account Key File Not Properly Set
Medium Secret Management When using kube-apiserver command, the '--service-account-key-file' flag should be defined Documentation
Etcd Peer Client Certificate Authentication Set To False
Medium Secret Management When using etcd commands, the '--peer-client-cert-auth' flag should be set to true Documentation
Shared Service Account
Medium Secret Management A Service Account token is shared between workloads Documentation
Etcd Client Certificate Authentication Set To False
Medium Secret Management When using etcd commands, the '--client-cert-auth' flag should be defined Documentation
Rotate Kubelet Server Certificate Not Active
Medium Secret Management The RotateKubeletServerCertificate argument should be true Documentation
Kubelet Client Certificate Or Key Not Set
Medium Secret Management When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set Documentation
Kubelet Client Periodic Certificate Switch Disabled
Medium Secret Management Kubelet argument --rotate-certificates should be true Documentation
Docker Daemon Socket is Exposed to Containers
Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
Cluster Admin Rolebinding With Superuser Permissions
Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
Missing AppArmor Profile
Low Access Control Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources Documentation
Deployment Without PodDisruptionBudget
Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without PodDisruptionBudget
Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
HPA Targets Invalid Object
Low Availability The Horizontal Pod Autoscaler must target a valid object Documentation
StatefulSet Without Service Name
Low Availability StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. Documentation
Event Rate Limit Admission Control Plugin Not Set
Low Availability When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
HPA Targeted Deployments With Configured Replica Count
Low Availability Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set Documentation
Liveness Probe Is Not Defined
Low Availability In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it Documentation
Metadata Label Is Invalid
Low Best Practices Check if any label in the metadata is invalid. Documentation
No Drop Capabilities for Containers
Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Object Is Using A Deprecated API Version
Low Best Practices Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. Documentation
Image Policy Webhook Admission Control Plugin Not Set
Low Build Process When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file Documentation
Namespace Lifecycle Admission Control Plugin Disabled
Low Build Process When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin Documentation
Root Container Not Mounted Read-only
Low Build Process Check if the root container filesystem is not being mounted read-only. Documentation
StatefulSet Requests Storage
Low Build Process A StatefulSet requests volume storage. Documentation
Service Does Not Target Pod
Low Insecure Configurations Service should Target a Pod Documentation
Image Pull Policy Of The Container Is Not Set To Always
Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Kubelet Hostname Override Is Set
Low Insecure Configurations Hostnames should not be overrided Documentation
Pod or Container Without LimitRange
Low Insecure Configurations Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries Documentation
Image Without Digest
Low Insecure Configurations Images should be specified together with their digests to ensure integrity Documentation
Dashboard Is Enabled
Low Insecure Configurations If not needed, disabling the dashboard can prevent from being used as an attack vector Documentation
Pod or Container Without ResourceQuota
Low Insecure Configurations Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume Documentation
Pod or Container Without Security Context
Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Workload Host Port Not Specified
Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Service Type is NodePort
Low Networking and Firewall Service type should not be NodePort Documentation
Audit Log Maxbackup Not Properly Set
Low Observability When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files Documentation
Profiling Not Set To False
Low Observability When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false Documentation
Audit Policy Not Cover Key Security Concerns
Low Observability Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies Documentation
Audit Log Maxsize Not Properly Set
Low Observability When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes Documentation
Audit Log Maxage Not Properly Set
Low Observability When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days Documentation
Kubelet Event QPS Not Properly Set
Low Observability When using the kubelet command, the '--event-qps' should be set to 0 Documentation
StatefulSet Has No PodAntiAffinity
Low Resource Management Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Container CPU Requests Not Equal To It's Limits
Low Resource Management A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. Documentation
Deployment Has No PodAntiAffinity
Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Container Memory Requests Not Equal To It's Limits
Low Resource Management A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. Documentation
CronJob Deadline Not Configured
Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined Documentation
Container Requests Not Equal To It's Limits
Low Resource Management Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively Documentation
Secrets As Environment Variables
Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image Tag
Low Supply-Chain Image tag must be defined and not be empty or equal to latest. Documentation
Ensure Administrative Boundaries Between Resources
Info Access Control As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. Documentation
Using Kubernetes Native Secret Management
Info Secret Management Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited Documentation