Kubernetes
Kubernetes Queries List¶
This page contains all queries from Kubernetes.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
High | Access Control | Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more) | Documentation |
| Service Account Lookup Set To False a5530bd7-225a-48f9-91bb-f40b04200165 |
High | Access Control | When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more) | Documentation |
| Always Admit Admission Control Plugin Set ce30e584-b33f-4c7d-b418-a3d7027f8f60 |
High | Access Control | When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more) | Documentation |
| Token Auth File Is Set 32ecd76e-7bbf-402e-bf48-8b9485749558 |
High | Access Control | When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more) | Documentation |
| Client Certificate Authentication Not Setup Properly e0e00aba-5f1c-4981-a542-9a9563c0ee20 |
High | Access Control | Client Certificate Authentication should be Setup with a .pem or .crt file (read more) | Documentation |
| Use Service Account Credentials Not Set To True 1acd93f1-5a37-45c0-aaac-82ece818be7d |
High | Access Control | When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more) | Documentation |
| Node Restriction Admission Control Plugin Not Set 33fc6923-6553-4fe6-9d3a-4efa51eb874b |
High | Access Control | When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more) | Documentation |
| Basic Auth File Is Set 5da47109-f8d6-4585-9e2b-96a8958a12f5 |
High | Access Control | When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more) | Documentation |
| Pod Security Policy Admission Control Plugin Not Set afa36afb-39fe-4d94-b9b6-afb236f7a03d |
High | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more) | Documentation |
| Service Account Private Key File Not Defined ccc98ff7-68a7-436e-9218-185cb0b0b780 |
High | Encryption | When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more) | Documentation |
| Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
High | Insecure Configurations | Check if there is any Tiller Service present (read more) | Documentation |
| Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more) | Documentation |
| Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more) | Documentation |
| PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. (read more) | Documentation |
| Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
High | Insecure Configurations | Check if Tiller is deployed. (read more) | Documentation |
| Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
High | Insecure Configurations | Limit capabilities for a Pod Security Policy (read more) | Documentation |
| Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more) | Documentation |
| Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
High | Insecure Configurations | Container should not share the host process ID namespace (read more) | Documentation |
| Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
High | Insecure Defaults | No role nor cluster role should bind to a default service account (read more) | Documentation |
| Kubelet HTTPS Set To False cdc8b54e-6b16-4538-a1b0-35849dbe29cf |
High | Networking and Firewall | When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more) | Documentation |
| Secure Port Set To Zero 3d24b204-b73d-42cb-b0bf-1a5438c5f71e |
High | Networking and Firewall | When using kube-apiserver command, the --secure-port flag should not be 0 (read more) | Documentation |
| Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
High | Networking and Firewall | Check if any Tiller Deployment container allows access from within the cluster. (read more) | Documentation |
| Etcd Peer TLS Certificate Files Not Properly Set 09bb9e96-8da3-4736-b89a-b36814acca60 |
High | Networking and Firewall | When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more) | Documentation |
| Etcd TLS Certificate Not Properly Configured 895a5a95-3756-4b04-9924-2f3bc93181bd |
High | Networking and Firewall | When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more) | Documentation |
| TSL Connection Certificate Not Setup fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f |
High | Networking and Firewall | TSL Connection Certificate files should be Setup (read more) | Documentation |
| Etcd TLS Certificate Files Not Properly Set 075ca296-6768-4322-aea2-ba5063b969a9 |
High | Networking and Firewall | When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more) | Documentation |
| Bind Address Not Properly Set 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 |
High | Networking and Firewall | When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more) | Documentation |
| Insecure Port Not Properly Set fa4def8c-1898-4a35-a139-7b76b1acdef0 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more) | Documentation |
| Insecure Bind Address Set b9380fd3-5ffe-4d10-9290-13e18e71eee1 |
High | Networking and Firewall | When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more) | Documentation |
| PSP With Unrestricted Access to Host Path de4421f1-4e35-43b4-9783-737dd4e4a47e |
High | Resource Management | PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more) | Documentation |
| Auto TLS Set To True 98ce8b81-7707-4734-aa39-627c6db3d84b |
High | Secret Management | When using etcd commands, the '--auto-tls' should be set to false (read more) | Documentation |
| Peer Auto TLS Set To True ae8827e2-4af9-4baa-9998-87539ae0d6f0 |
High | Secret Management | When using etcd commands, the '--peer-auto-tls' should be set to false (read more) | Documentation |
| Authorization Mode Set To Always Allow f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 |
Medium | Access Control | When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more) | Documentation |
| Anonymous Auth Is Not Set To False 1de5cc51-f376-4638-a940-20f2e85ae238 |
Medium | Access Control | When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more) | Documentation |
| Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more) | Documentation |
| RBAC Roles Allow Privilege Escalation 8320826e-7a9c-4b0b-9535-578333193432 |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more) | Documentation |
| RBAC Roles with Exec Permission c589f42c-7924-4871-aee2-1cede9bc7cbc |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more) | Documentation |
| Authorization Mode RBAC Not Set 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e |
Medium | Access Control | When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more) | Documentation |
| Service Account Admission Control Plugin Disabled 9587c890-0524-40c2-9ce2-663af7c2f063 |
Medium | Access Control | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more) | Documentation |
| RBAC Roles with Impersonate Permission 9f85c3f6-26fd-4007-938a-2e0cb0100980 |
Medium | Access Control | Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more) | Documentation |
| RBAC Roles with Port-Forwarding Permission 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more) | Documentation |
| RBAC Roles with Attach Permission d45330fd-f58d-45fb-a682-6481477a0f84 |
Medium | Access Control | Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more) | Documentation |
| Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted (read more) | Documentation |
| RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Medium | Access Control | Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more) | Documentation |
| Request Timeout Not Properly Set d89a15bb-8dba-4c71-9529-bef6729b9c09 |
Medium | Availability | When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more) | Documentation |
| Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Medium | Availability | Check if Readiness Probe is not configured. (read more) | Documentation |
| Terminated Pod Garbage Collector Threshold Not Properly Set 49113af4-29ca-458e-b8d4-724c01a4a24f |
Medium | Availability | When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more) | Documentation |
| Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Medium | Best Practices | Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more) | Documentation |
| Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Medium | Best Practices | Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more) | Documentation |
| Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more) | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more) | Documentation |
| Always Pull Images Admission Control Plugin Not Set a77f4d07-c6e0-4a48-8b35-0eeb51576f4f |
Medium | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more) | Documentation |
| Weak TLS Cipher Suites 510d5810-9a30-443a-817d-5c1fa527b110 |
Medium | Encryption | TLS Connection should use strong Cipher Suites (read more) | Documentation |
| Encryption Provider Config Is Not Defined cbd2db69-0b21-4c14-8a40-7710a50571a9 |
Medium | Encryption | When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more) | Documentation |
| Encryption Provider Not Properly Configured 10efce34-5af6-4d83-b414-9e096d5a06a9 |
Medium | Encryption | The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more) | Documentation |
| Root CA File Not Defined 05fb986f-ac73-4ebb-a5b2-7faafa93d882 |
Medium | Encryption | When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more) | Documentation |
| Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Medium | Insecure Configurations | Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more) | Documentation |
| NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
Medium | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more) | Documentation |
| PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host process ID namespace (read more) | Documentation |
| PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities (read more) | Documentation |
| Not Limited Capabilities For Container 2f1a0619-b12b-48a0-825f-993bb6f01d58 |
Medium | Insecure Configurations | Limit the capabilities for a Container. (read more) | Documentation |
| PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation (read more) | Documentation |
| Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more) | Documentation |
| Authorization Mode Node Not Set 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 |
Medium | Insecure Configurations | When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more) | Documentation |
| Kubelet Protect Kernel Defaults Set To False 6cf42c97-facd-4fda-b8af-ea4529123355 |
Medium | Insecure Configurations | --protect-kernel-defaults should be set to true (read more) | Documentation |
| Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Medium | Insecure Configurations | Containers should not have extra capabilities allowed (read more) | Documentation |
| Using Unrecommended Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Medium | Insecure Configurations | Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more) | Documentation |
| PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace (read more) | Documentation |
| Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more) | Documentation |
| PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged. (read more) | Documentation |
| Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory (read more) | Documentation |
| Security Context Deny Admission Control Plugin Not Set 6a68bebe-c021-492e-8ddb-55b0567fb768 |
Medium | Insecure Configurations | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more) | Documentation |
| Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability (read more) | Documentation |
| NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities (read more) | Documentation |
| Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary (read more) | Documentation |
| Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more) | Documentation |
| CNI Plugin Does Not Support Network Policies 03aabc8c-35d6-481e-9c85-20139cf72d23 |
Medium | Networking and Firewall | Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more) | Documentation |
| Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. (read more) | Documentation |
| Service With External Load Balancer 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more) | Documentation |
| Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Medium | Networking and Firewall | Check if any pod is not being targeted by a proper network policy. (read more) | Documentation |
| Kubelet Streaming Connection Timeout Disabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9 |
Medium | Networking and Firewall | The flag --streaming-connection-idle-timeout should not be set to 0 (read more) | Documentation |
| Kubelet Not Managing Ip Tables 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 |
Medium | Networking and Firewall | Kubelet argument --make-iptables-util-chains should be true (read more) | Documentation |
| Kubelet Read Only Port Is Not Set To Zero 2940d48a-dc5e-4178-a3f8-bfbd80720b41 |
Medium | Networking and Firewall | When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more) | Documentation |
| Audit Log Path Not Set 73e251f0-363d-4e53-86e2-0a93592437eb |
Medium | Observability | When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more) | Documentation |
| Audit Policy File Not Defined 13a49a2e-488e-4309-a7c0-d6b05577a5fb |
Medium | Observability | When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more) | Documentation |
| Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
Medium | Resource Management | Container should not share the host network namespace (read more) | Documentation |
| Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more) | Documentation |
| Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more) | Documentation |
| Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more) | Documentation |
| CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more) | Documentation |
| CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more) | Documentation |
| Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
Medium | Resource Management | Container should not share the host IPC namespace (read more) | Documentation |
| Etcd Client Certificate File Not Defined 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 |
Medium | Secret Management | When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more) | Documentation |
| ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Medium | Secret Management | Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more) | Documentation |
| Kubelet Client Periodic Certificate Switch Disabled 52d70f2e-3257-474c-b3dc-8ad9ba6a061a |
Medium | Secret Management | Kubelet argument --rotate-certificates should be true (read more) | Documentation |
| Etcd Client Certificate Authentication Set To False 9391103a-d8d7-4671-ac5d-606ba7ccb0ac |
Medium | Secret Management | When using etcd commands, the '--client-cert-auth' flag should be defined (read more) | Documentation |
| Service Account Key File Not Properly Set dab4ec72-ce2e-4732-b7c3-1757dcce01a1 |
Medium | Secret Management | When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more) | Documentation |
| Rotate Kubelet Server Certificate Not Active 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 |
Medium | Secret Management | The RotateKubeletServerCertificate argument should be true (read more) | Documentation |
| Kubelet Client Certificate Or Key Not Set 36a27826-1bf5-49da-aeb0-a60a30c0e834 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more) | Documentation |
| Not Unique Certificate Authority cb7e695d-6a85-495c-b15f-23aed2519303 |
Medium | Secret Management | Certificate Authority should be unique for etcd (read more) | Documentation |
| Etcd Peer Client Certificate Authentication Set To False b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff |
Medium | Secret Management | When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more) | Documentation |
| Kubelet Certificate Authority Not Set ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 |
Medium | Secret Management | When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more) | Documentation |
| Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Medium | Secret Management | A Service Account token is shared between workloads (read more) | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) (read more) | Documentation |
| Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers (read more) | Documentation |
| Missing AppArmor Profile 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Low | Access Control | Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more) | Documentation |
| Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Low | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more) | Documentation |
| Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more) | Documentation |
| Event Rate Limit Admission Control Plugin Not Set e0099af2-fe17-411f-9991-0de28fe15f3c |
Low | Availability | When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more) | Documentation |
| HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Low | Availability | The Horizontal Pod Autoscaler must target a valid object (read more) | Documentation |
| StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Low | Availability | StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more) | Documentation |
| HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Low | Availability | Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more) | Documentation |
| StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more) | Documentation |
| No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more) | Documentation |
| Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
Low | Best Practices | Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more) | Documentation |
| Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Low | Best Practices | Check if any label in the metadata is invalid. (read more) | Documentation |
| Namespace Lifecycle Admission Control Plugin Disabled 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 |
Low | Build Process | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more) | Documentation |
| Image Policy Webhook Admission Control Plugin Not Set 14abda69-8e91-4acb-9931-76e2bee90284 |
Low | Build Process | When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more) | Documentation |
| StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Low | Build Process | A StatefulSet requests volume storage. (read more) | Documentation |
| Root Container Not Mounted Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Low | Build Process | Check if the root container filesystem is not being mounted read-only. (read more) | Documentation |
| Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container (read more) | Documentation |
| Kubelet Hostname Override Is Set bf36b900-b5ef-4828-adb7-70eb543b7cfb |
Low | Insecure Configurations | Hostnames should not be overrided (read more) | Documentation |
| Pod or Container Without ResourceQuota 48a5beba-e4c0-4584-a2aa-e6894e4cf424 |
Low | Insecure Configurations | Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more) | Documentation |
| Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Low | Insecure Configurations | If not needed, disabling the dashboard can prevent from being used as an attack vector (read more) | Documentation |
| Pod or Container Without LimitRange 4a20ebac-1060-4c81-95d1-1f7f620e983b |
Low | Insecure Configurations | Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more) | Documentation |
| Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Low | Insecure Configurations | Service should Target a Pod (read more) | Documentation |
| Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity (read more) | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always (read more) | Documentation |
| Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Low | Networking and Firewall | Service type should not be NodePort (read more) | Documentation |
| Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified (read more) | Documentation |
| Audit Policy Not Cover Key Security Concerns 1828a670-5957-4bc5-9974-47da228f75e2 |
Low | Observability | Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more) | Documentation |
| Audit Log Maxsize Not Properly Set 35c0a471-f7c8-4993-aa2c-503a3c712a66 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more) | Documentation |
| Audit Log Maxbackup Not Properly Set 768aab52-2504-4a2f-a3e3-329d5a679848 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more) | Documentation |
| Kubelet Event QPS Not Properly Set 1a07a446-8e61-4e4d-bc16-b0781fcb8211 |
Low | Observability | When using the kubelet command, the '--event-qps' should be set to 0 (read more) | Documentation |
| Audit Log Maxage Not Properly Set da9f3aa8-fbfb-472f-b5a1-576127944218 |
Low | Observability | When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more) | Documentation |
| Profiling Not Set To False 2f491173-6375-4a84-b28e-a4e2b9a58a69 |
Low | Observability | When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more) | Documentation |
| Container Memory Requests Not Equal To It's Limits aafa7d94-62de-4fbf-8838-b69ee217b0e6 |
Low | Resource Management | A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more) | Documentation |
| Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more) | Documentation |
| Container CPU Requests Not Equal To It's Limits 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 |
Low | Resource Management | A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more) | Documentation |
| Container Requests Not Equal To It's Limits aee3c7d2-a811-4201-90c7-11c028be9a46 |
Low | Resource Management | Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more) | Documentation |
| StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Low | Resource Management | Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more) | Documentation |
| CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more) | Documentation |
| Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Low | Secret Management | Container should not use secrets as environment variables (read more) | Documentation |
| Invalid Image Tag 583053b7-e632-46f0-b989-f81ff8045385 |
Low | Supply-Chain | Image tag must be defined and not be empty or equal to latest. (read more) | Documentation |
| Ensure Administrative Boundaries Between Resources e84eaf4d-2f45-47b2-abe8-e581b06deb66 |
Info | Access Control | As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more) | Documentation |
| Using Kubernetes Native Secret Management b9c83569-459b-4110-8f79-6305aa33cb37 |
Info | Secret Management | Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more) | Documentation |