Skip to content

Kubernetes

Kubernetes Queries List

This page contains all queries from Kubernetes.

Query Severity Category More info
Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5
High Access Control Query details
Documentation
Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5
High Access Control Query details
Documentation
Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20
High Access Control Query details
Documentation
Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91
High Access Control Query details
Documentation
RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e
High Access Control Query details
Documentation
Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165
High Access Control Query details
Documentation
Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558
High Access Control Query details
Documentation
Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d
High Build Process Query details
Documentation
Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad
High Insecure Configurations Query details
Documentation
Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609
High Insecure Configurations Query details
Documentation
Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3
High Insecure Configurations Query details
Documentation
Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0
High Insecure Configurations Query details
Documentation
Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
High Insecure Configurations Query details
Documentation
PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b
High Insecure Configurations Query details
Documentation
PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851
High Insecure Configurations Query details
Documentation
PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea
High Insecure Configurations Query details
Documentation
PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91
High Insecure Configurations Query details
Documentation
PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8
High Insecure Configurations Query details
Documentation
Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d
High Insecure Configurations Query details
Documentation
Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d
High Insecure Configurations Query details
Documentation
Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d
High Insecure Configurations Query details
Documentation
Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e
High Insecure Configurations Query details
Documentation
Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60
High Networking and Firewall Query details
Documentation
Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1
High Networking and Firewall Query details
Documentation
Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0
High Networking and Firewall Query details
Documentation
Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e
High Networking and Firewall Query details
Documentation
Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06
High Networking and Firewall Query details
Documentation
PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e
High Resource Management Query details
Documentation
Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063
High Resource Management Query details
Documentation
Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60
Medium Access Control Query details
Documentation
Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238
Medium Access Control Query details
Documentation
Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e
Medium Access Control Query details
Documentation
Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828
Medium Access Control Query details
Documentation
Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b
Medium Access Control Query details
Documentation
Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942
Medium Access Control Query details
Documentation
RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432
Medium Access Control Query details
Documentation
RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84
Medium Access Control Query details
Documentation
RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc
Medium Access Control Query details
Documentation
RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980
Medium Access Control Query details
Documentation
RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb
Medium Access Control Query details
Documentation
RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14
Medium Access Control Query details
Documentation
Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063
Medium Access Control Query details
Documentation
Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d
Medium Access Control Query details
Documentation
Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3
Medium Availability Query details
Documentation
Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09
Medium Availability Query details
Documentation
Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f
Medium Availability Query details
Documentation
Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb
Medium Best Practices Query details
Documentation
Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660
Medium Best Practices Query details
Documentation
Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203
Medium Best Practices Query details
Documentation
Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f
Medium Build Process Query details
Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9
Medium Build Process Query details
Documentation
Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9
Medium Encryption Query details
Documentation
Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9
Medium Encryption Query details
Documentation
Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882
Medium Encryption Query details
Documentation
Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780
Medium Encryption Query details
Documentation
Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110
Medium Encryption Query details
Documentation
Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1
Medium Insecure Configurations Query details
Documentation
Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40
Medium Insecure Configurations Query details
Documentation
Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b
Medium Insecure Configurations Query details
Documentation
Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355
Medium Insecure Configurations Query details
Documentation
NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648
Medium Insecure Configurations Query details
Documentation
NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54
Medium Insecure Configurations Query details
Documentation
PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9
Medium Insecure Configurations Query details
Documentation
Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b
Medium Insecure Configurations Query details
Documentation
Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768
Medium Insecure Configurations Query details
Documentation
Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6
Medium Insecure Configurations Query details
Documentation
Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5
Medium Insecure Defaults Query details
Documentation
Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9
Medium Insecure Defaults Query details
Documentation
Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef
Medium Insecure Defaults Query details
Documentation
Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b
Medium Networking and Firewall Query details
Documentation
CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23
Medium Networking and Firewall Query details
Documentation
Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9
Medium Networking and Firewall Query details
Documentation
Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd
Medium Networking and Firewall Query details
Documentation
Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf
Medium Networking and Firewall Query details
Documentation
Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4
Medium Networking and Firewall Query details
Documentation
Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41
Medium Networking and Firewall Query details
Documentation
Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9
Medium Networking and Firewall Query details
Documentation
Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0
Medium Networking and Firewall Query details
Documentation
Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be
Medium Networking and Firewall Query details
Documentation
Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165
Medium Networking and Firewall Query details
Documentation
TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f
Medium Networking and Firewall Query details
Documentation
Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb
Medium Observability Query details
Documentation
Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb
Medium Observability Query details
Documentation
Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9
Medium Resource Management Query details
Documentation
Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded
Medium Resource Management Query details
Documentation
Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536
Medium Resource Management Query details
Documentation
Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a
Medium Resource Management Query details
Documentation
Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac
Medium Secret Management Query details
Documentation
Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20
Medium Secret Management Query details
Documentation
Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff
Medium Secret Management Query details
Documentation
Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0
Medium Secret Management Query details
Documentation
Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834
Medium Secret Management Query details
Documentation
Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a
Medium Secret Management Query details
Documentation
Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303
Medium Secret Management Query details
Documentation
Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2
Medium Secret Management Query details
Documentation
Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1
Medium Secret Management Query details
Documentation
ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9
Medium Secret Management Query details
Documentation
Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b
Medium Secret Management Query details
Documentation
Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11
Low Access Control Query details
Documentation
Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f
Low Access Control Query details
Documentation
Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678
Low Availability Query details
Documentation
Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c
Low Availability Query details
Documentation
HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca
Low Availability Query details
Documentation
StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5
Low Availability Query details
Documentation
StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0
Low Availability Query details
Documentation
Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a
Low Best Practices Query details
Documentation
No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e
Low Best Practices Query details
Documentation
Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645
Low Best Practices Query details
Documentation
Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284
Low Build Process Query details
Documentation
Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37
Low Build Process Query details
Documentation
Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0
Low Build Process Query details
Documentation
StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2
Low Build Process Query details
Documentation
Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b
Low Insecure Configurations Query details
Documentation
Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2
Low Insecure Configurations Query details
Documentation
Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678
Low Insecure Configurations Query details
Documentation
Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb
Low Insecure Configurations Query details
Documentation
Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b
Low Insecure Configurations Query details
Documentation
Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424
Low Insecure Configurations Query details
Documentation
Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995
Low Insecure Configurations Query details
Documentation
Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729
Low Insecure Configurations Query details
Documentation
Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3
Low Networking and Firewall Query details
Documentation
Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2
Low Networking and Firewall Query details
Documentation
Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633
Low Networking and Firewall Query details
Documentation
Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218
Low Observability Query details
Documentation
Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848
Low Observability Query details
Documentation
Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66
Low Observability Query details
Documentation
Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2
Low Observability Query details
Documentation
Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211
Low Observability Query details
Documentation
Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69
Low Observability Query details
Documentation
CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda
Low Resource Management Query details
Documentation
CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a
Low Resource Management Query details
Documentation
CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3
Low Resource Management Query details
Documentation
Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a
Low Resource Management Query details
Documentation
StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e
Low Resource Management Query details
Documentation
Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e
Low Secret Management Query details
Documentation
Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385
Low Supply-Chain Query details
Documentation
Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66
Info Access Control Query details
Documentation
HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b
Info Availability Query details
Documentation
Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441
Info Availability Query details
Documentation
Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032
Info Insecure Configurations Query details
Documentation
Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2
Info Networking and Firewall Query details
Documentation
Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37
Info Secret Management Query details
Documentation