Kubernetes
Kubernetes Queries List¶
This page contains all queries from Kubernetes.
Query | Severity | Category | More info |
---|---|---|---|
Authorization Mode Set To Always Allow f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 |
High | Access Control | Query details Documentation |
Basic Auth File Is Set 5da47109-f8d6-4585-9e2b-96a8958a12f5 |
High | Access Control | Query details Documentation |
Client Certificate Authentication Not Setup Properly e0e00aba-5f1c-4981-a542-9a9563c0ee20 |
High | Access Control | Query details Documentation |
Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
High | Access Control | Query details Documentation |
RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
High | Access Control | Query details Documentation |
Service Account Lookup Set To False a5530bd7-225a-48f9-91bb-f40b04200165 |
High | Access Control | Query details Documentation |
Token Auth File Is Set 32ecd76e-7bbf-402e-bf48-8b9485749558 |
High | Access Control | Query details Documentation |
Pod Security Policy Admission Control Plugin Not Set afa36afb-39fe-4d94-b9b6-afb236f7a03d |
High | Build Process | Query details Documentation |
Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
High | Insecure Configurations | Query details Documentation |
Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
High | Insecure Configurations | Query details Documentation |
Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
High | Insecure Configurations | Query details Documentation |
Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
High | Insecure Configurations | Query details Documentation |
Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
High | Insecure Configurations | Query details Documentation |
PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
High | Insecure Configurations | Query details Documentation |
PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
High | Insecure Configurations | Query details Documentation |
PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
High | Insecure Configurations | Query details Documentation |
PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
High | Insecure Configurations | Query details Documentation |
PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
High | Insecure Configurations | Query details Documentation |
Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
High | Insecure Configurations | Query details Documentation |
Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
High | Insecure Configurations | Query details Documentation |
Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
High | Insecure Configurations | Query details Documentation |
Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
High | Insecure Configurations | Query details Documentation |
Etcd Peer TLS Certificate Files Not Properly Set 09bb9e96-8da3-4736-b89a-b36814acca60 |
High | Networking and Firewall | Query details Documentation |
Insecure Bind Address Set b9380fd3-5ffe-4d10-9290-13e18e71eee1 |
High | Networking and Firewall | Query details Documentation |
Insecure Port Not Properly Set fa4def8c-1898-4a35-a139-7b76b1acdef0 |
High | Networking and Firewall | Query details Documentation |
Secure Port Set To Zero 3d24b204-b73d-42cb-b0bf-1a5438c5f71e |
High | Networking and Firewall | Query details Documentation |
Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
High | Networking and Firewall | Query details Documentation |
PSP With Unrestricted Access to Host Path de4421f1-4e35-43b4-9783-737dd4e4a47e |
High | Resource Management | Query details Documentation |
Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
High | Resource Management | Query details Documentation |
Always Admit Admission Control Plugin Set ce30e584-b33f-4c7d-b418-a3d7027f8f60 |
Medium | Access Control | Query details Documentation |
Anonymous Auth Is Not Set To False 1de5cc51-f376-4638-a940-20f2e85ae238 |
Medium | Access Control | Query details Documentation |
Authorization Mode RBAC Not Set 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e |
Medium | Access Control | Query details Documentation |
Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Medium | Access Control | Query details Documentation |
Node Restriction Admission Control Plugin Not Set 33fc6923-6553-4fe6-9d3a-4efa51eb874b |
Medium | Access Control | Query details Documentation |
Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Medium | Access Control | Query details Documentation |
RBAC Roles Allow Privilege Escalation 8320826e-7a9c-4b0b-9535-578333193432 |
Medium | Access Control | Query details Documentation |
RBAC Roles with Attach Permission d45330fd-f58d-45fb-a682-6481477a0f84 |
Medium | Access Control | Query details Documentation |
RBAC Roles with Exec Permission c589f42c-7924-4871-aee2-1cede9bc7cbc |
Medium | Access Control | Query details Documentation |
RBAC Roles with Impersonate Permission 9f85c3f6-26fd-4007-938a-2e0cb0100980 |
Medium | Access Control | Query details Documentation |
RBAC Roles with Port-Forwarding Permission 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb |
Medium | Access Control | Query details Documentation |
RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Medium | Access Control | Query details Documentation |
Service Account Admission Control Plugin Disabled 9587c890-0524-40c2-9ce2-663af7c2f063 |
Medium | Access Control | Query details Documentation |
Use Service Account Credentials Not Set To True 1acd93f1-5a37-45c0-aaac-82ece818be7d |
Medium | Access Control | Query details Documentation |
Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Medium | Availability | Query details Documentation |
Request Timeout Not Properly Set d89a15bb-8dba-4c71-9529-bef6729b9c09 |
Medium | Availability | Query details Documentation |
Terminated Pod Garbage Collector Threshold Not Properly Set 49113af4-29ca-458e-b8d4-724c01a4a24f |
Medium | Availability | Query details Documentation |
Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Medium | Best Practices | Query details Documentation |
Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Medium | Best Practices | Query details Documentation |
Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Medium | Best Practices | Query details Documentation |
Always Pull Images Admission Control Plugin Not Set a77f4d07-c6e0-4a48-8b35-0eeb51576f4f |
Medium | Build Process | Query details Documentation |
Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Medium | Build Process | Query details Documentation |
Encryption Provider Config Is Not Defined cbd2db69-0b21-4c14-8a40-7710a50571a9 |
Medium | Encryption | Query details Documentation |
Encryption Provider Not Properly Configured 10efce34-5af6-4d83-b414-9e096d5a06a9 |
Medium | Encryption | Query details Documentation |
Root CA File Not Defined 05fb986f-ac73-4ebb-a5b2-7faafa93d882 |
Medium | Encryption | Query details Documentation |
Service Account Private Key File Not Defined ccc98ff7-68a7-436e-9218-185cb0b0b780 |
Medium | Encryption | Query details Documentation |
Weak TLS Cipher Suites 510d5810-9a30-443a-817d-5c1fa527b110 |
Medium | Encryption | Query details Documentation |
Authorization Mode Node Not Set 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 |
Medium | Insecure Configurations | Query details Documentation |
Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Medium | Insecure Configurations | Query details Documentation |
Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Medium | Insecure Configurations | Query details Documentation |
Kubelet Protect Kernel Defaults Set To False 6cf42c97-facd-4fda-b8af-ea4529123355 |
Medium | Insecure Configurations | Query details Documentation |
NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Medium | Insecure Configurations | Query details Documentation |
NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
Medium | Insecure Configurations | Query details Documentation |
PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Medium | Insecure Configurations | Query details Documentation |
Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Medium | Insecure Configurations | Query details Documentation |
Security Context Deny Admission Control Plugin Not Set 6a68bebe-c021-492e-8ddb-55b0567fb768 |
Medium | Insecure Configurations | Query details Documentation |
Using Unrecommended Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Medium | Insecure Configurations | Query details Documentation |
Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
Medium | Insecure Defaults | Query details Documentation |
Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Medium | Insecure Defaults | Query details Documentation |
Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Medium | Insecure Defaults | Query details Documentation |
Auto TLS Set To True 98ce8b81-7707-4734-aa39-627c6db3d84b |
Medium | Networking and Firewall | Query details Documentation |
CNI Plugin Does Not Support Network Policies 03aabc8c-35d6-481e-9c85-20139cf72d23 |
Medium | Networking and Firewall | Query details Documentation |
Etcd TLS Certificate Files Not Properly Set 075ca296-6768-4322-aea2-ba5063b969a9 |
Medium | Networking and Firewall | Query details Documentation |
Etcd TLS Certificate Not Properly Configured 895a5a95-3756-4b04-9924-2f3bc93181bd |
Medium | Networking and Firewall | Query details Documentation |
Kubelet HTTPS Set To False cdc8b54e-6b16-4538-a1b0-35849dbe29cf |
Medium | Networking and Firewall | Query details Documentation |
Kubelet Not Managing Ip Tables 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 |
Medium | Networking and Firewall | Query details Documentation |
Kubelet Read Only Port Is Not Set To Zero 2940d48a-dc5e-4178-a3f8-bfbd80720b41 |
Medium | Networking and Firewall | Query details Documentation |
Kubelet Streaming Connection Timeout Disabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9 |
Medium | Networking and Firewall | Query details Documentation |
Peer Auto TLS Set To True ae8827e2-4af9-4baa-9998-87539ae0d6f0 |
Medium | Networking and Firewall | Query details Documentation |
Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Medium | Networking and Firewall | Query details Documentation |
Service With External Load Balancer 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Medium | Networking and Firewall | Query details Documentation |
TSL Connection Certificate Not Setup fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f |
Medium | Networking and Firewall | Query details Documentation |
Audit Log Path Not Set 73e251f0-363d-4e53-86e2-0a93592437eb |
Medium | Observability | Query details Documentation |
Audit Policy File Not Defined 13a49a2e-488e-4309-a7c0-d6b05577a5fb |
Medium | Observability | Query details Documentation |
Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Medium | Resource Management | Query details Documentation |
Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Medium | Resource Management | Query details Documentation |
Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
Medium | Resource Management | Query details Documentation |
Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
Medium | Resource Management | Query details Documentation |
Etcd Client Certificate Authentication Set To False 9391103a-d8d7-4671-ac5d-606ba7ccb0ac |
Medium | Secret Management | Query details Documentation |
Etcd Client Certificate File Not Defined 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 |
Medium | Secret Management | Query details Documentation |
Etcd Peer Client Certificate Authentication Set To False b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff |
Medium | Secret Management | Query details Documentation |
Kubelet Certificate Authority Not Set ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 |
Medium | Secret Management | Query details Documentation |
Kubelet Client Certificate Or Key Not Set 36a27826-1bf5-49da-aeb0-a60a30c0e834 |
Medium | Secret Management | Query details Documentation |
Kubelet Client Periodic Certificate Switch Disabled 52d70f2e-3257-474c-b3dc-8ad9ba6a061a |
Medium | Secret Management | Query details Documentation |
Not Unique Certificate Authority cb7e695d-6a85-495c-b15f-23aed2519303 |
Medium | Secret Management | Query details Documentation |
Rotate Kubelet Server Certificate Not Active 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 |
Medium | Secret Management | Query details Documentation |
Service Account Key File Not Properly Set dab4ec72-ce2e-4732-b7c3-1757dcce01a1 |
Medium | Secret Management | Query details Documentation |
ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Medium | Secret Management | Query details Documentation |
Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Medium | Secret Management | Query details Documentation |
Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Low | Access Control | Query details Documentation |
Missing AppArmor Profile 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Low | Access Control | Query details Documentation |
Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Low | Availability | Query details Documentation |
Event Rate Limit Admission Control Plugin Not Set e0099af2-fe17-411f-9991-0de28fe15f3c |
Low | Availability | Query details Documentation |
HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Low | Availability | Query details Documentation |
StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Low | Availability | Query details Documentation |
StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Low | Availability | Query details Documentation |
Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Low | Best Practices | Query details Documentation |
No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Low | Best Practices | Query details Documentation |
Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
Low | Best Practices | Query details Documentation |
Image Policy Webhook Admission Control Plugin Not Set 14abda69-8e91-4acb-9931-76e2bee90284 |
Low | Build Process | Query details Documentation |
Namespace Lifecycle Admission Control Plugin Disabled 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 |
Low | Build Process | Query details Documentation |
Root Container Not Mounted Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Low | Build Process | Query details Documentation |
StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Low | Build Process | Query details Documentation |
Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Low | Insecure Configurations | Query details Documentation |
Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Low | Insecure Configurations | Query details Documentation |
Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Low | Insecure Configurations | Query details Documentation |
Kubelet Hostname Override Is Set bf36b900-b5ef-4828-adb7-70eb543b7cfb |
Low | Insecure Configurations | Query details Documentation |
Pod or Container Without LimitRange 4a20ebac-1060-4c81-95d1-1f7f620e983b |
Low | Insecure Configurations | Query details Documentation |
Pod or Container Without ResourceQuota 48a5beba-e4c0-4584-a2aa-e6894e4cf424 |
Low | Insecure Configurations | Query details Documentation |
Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Low | Insecure Configurations | Query details Documentation |
Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Low | Insecure Configurations | Query details Documentation |
Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Low | Networking and Firewall | Query details Documentation |
Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Low | Networking and Firewall | Query details Documentation |
Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Low | Networking and Firewall | Query details Documentation |
Audit Log Maxage Not Properly Set da9f3aa8-fbfb-472f-b5a1-576127944218 |
Low | Observability | Query details Documentation |
Audit Log Maxbackup Not Properly Set 768aab52-2504-4a2f-a3e3-329d5a679848 |
Low | Observability | Query details Documentation |
Audit Log Maxsize Not Properly Set 35c0a471-f7c8-4993-aa2c-503a3c712a66 |
Low | Observability | Query details Documentation |
Audit Policy Not Cover Key Security Concerns 1828a670-5957-4bc5-9974-47da228f75e2 |
Low | Observability | Query details Documentation |
Kubelet Event QPS Not Properly Set 1a07a446-8e61-4e4d-bc16-b0781fcb8211 |
Low | Observability | Query details Documentation |
Profiling Not Set To False 2f491173-6375-4a84-b28e-a4e2b9a58a69 |
Low | Observability | Query details Documentation |
CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Low | Resource Management | Query details Documentation |
CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Low | Resource Management | Query details Documentation |
CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Low | Resource Management | Query details Documentation |
Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Low | Resource Management | Query details Documentation |
StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Low | Resource Management | Query details Documentation |
Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Low | Secret Management | Query details Documentation |
Invalid Image Tag 583053b7-e632-46f0-b989-f81ff8045385 |
Low | Supply-Chain | Query details Documentation |
Ensure Administrative Boundaries Between Resources e84eaf4d-2f45-47b2-abe8-e581b06deb66 |
Info | Access Control | Query details Documentation |
HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Info | Availability | Query details Documentation |
Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Info | Availability | Query details Documentation |
Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
Info | Insecure Configurations | Query details Documentation |
Bind Address Not Properly Set 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 |
Info | Networking and Firewall | Query details Documentation |
Using Kubernetes Native Secret Management b9c83569-459b-4110-8f79-6305aa33cb37 |
Info | Secret Management | Query details Documentation |