| 207 |
CM-001 |
cm-001-sensitive-key-referenced-in-configmap |
alert |
Attackers can retrieve and use sensitive information provided via config maps |
.data.aws_access_key_id |
yes |
|
|
|
|
|
.data.aws_secret_access_key |
|
|
|
|
|
|
.data.azure_batchai_storage_account |
|
|
|
|
|
|
.data.azure_batchai_storage_key |
|
|
|
|
|
|
.data.azure_batch_account |
|
|
|
|
|
|
.data.azure_batch_key |
|
|
|
|
|
|
.data.secret |
|
|
|
|
|
|
.data.key |
|
|
|
|
|
|
.data.password |
|
|
|
|
|
|
.data.pwd |
|
|
|
|
|
|
.data.token |
|
|
|
|
|
|
.data.jwt |
|
|
|
|
|
|
.data.bearer |
|
|
|
|
|
|
.data.credential |
|
| 15 |
CM-002 |
Prevent ConfigMap security vulnerability (CVE-2021-25742) |
alert |
users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller, could elevate privilege and access full cluster secrets (NVD severity of this issue: High). |
Configmap.data.allow-snippet-annotation |
no |
| 21 |
ING-001 |
Set HTTP security headers on the Kubernetes Ingress controller |
alert |
|
Ingress.metadata.annotations["nginx.ingress.kubernetes.io/configuration-snippet"] |
no |
|
|
|
|
|
ConfigMap.data["proxy-set-headers"] |
|
| 22 |
ING-002 |
enable TLS for Ingress |
alert |
Configure tls in ingress. specifying a Secret that contains a TLS private key and certificate |
Ingress.spec.tls |
no |
|
|
|
|
|
Secret.data["tls.crt"] |
|
|
|
|
|
|
Secret.data["tls.key"] |
|
| 23 |
ING-003 |
ensure ingress targets a Service |
alert |
|
Ingress.spec.rules[].paths[].backend.service |
no |
| 24 |
ING-004 |
prevent ingress from forwarding all traffic to a single container |
alert |
Misconfiguring the ingress host can unintended forward all traffic to a single pod instead of leveraging the load balancing capabilities. By verifying that ingress traffic is targeted by multiple pods, you will achieve higher application availability because you won't be dependent upon a single pod to serve all ingress traffic. (From https://hub.datree.io/built-in-rules/prevent-ingress-forwarding-traffic-to-single-containerdatree) |
Ingress.spec.rules[].host |
no |
| 25 |
ING-005 |
CVE-2021-25742 nginx-ingress snippet annotation vulnerability |
alert |
Security issue in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (see more at https://github.com/kubernetes/ingress-nginx/issues/7837) To mitigate this vulnerabilitySet allow-snippet-annotations to false in your ingress-nginx ConfigMap |
Ingress.metadata.annotations["nginx.ingress.kubernetes.io/server-snippet"] |
no |
| 78 |
NP-001 |
np-001-namespace-without-network-policy |
alert |
|
NetworkPolicy.metadata.namespace |
yes |
|
|
|
|
|
.metadata.namespace |
|
| 79 |
NP-002-1 |
np-002-1-only-ingress-is-blocked |
alert |
|
NetworkPolicy.spec.policyTypes[] |
yes |
|
|
|
|
|
.spec.policyTypes[] |
|
| 80 |
NP-002-2 |
np-002-2-only-egress-is-blocked |
alert |
|
NetworkPolicy.spec.policyTypes[] |
yes |
|
|
|
|
|
.spec.policyTypes[] |
|
| 81 |
NP-003 |
np-003-network-policy-allows-access-to-cloud-metadata-api |
alert |
|
NetworkPolicy.egress[].to[].ipBlock |
yes |
|
|
|
|
|
.egress[].to[].ipBlock |
|
| 82 |
NP-004 |
np-004-network-policy-allows-access-to-kubelet |
alert |
|
NetworkPolicy.spec.egress[].ports[].port |
yes |
|
|
|
|
|
.spec.egress[].ports[].port |
|
| 83 |
NP-005 |
np-005-network-policy-refers-no-valid-workload |
alert |
|
NetworkPolicy.spec.podSelector |
yes |
|
|
|
|
|
.spec.podSelector |
|
| 16 |
NP-006 |
ensure all workloads are referenced by a Network Policy |
alert |
|
NetworkPolicy.spec.podSelector.matchLabels |
no |
|
|
|
|
|
NetworkPolicy.ingress[].from[].podSelector |
|
|
|
|
|
|
NetworkPolicy.egress[].from[].podSelector |
|
| 208 |
NS-001 |
ns-001-use-default-namespace |
alert |
not setting memory limit can lead to the pod suffocating the node by using all available memory |
.metadata.namespace |
yes |
| 209 |
NS-002-1 |
ns-002-1-place-pod-in-kube-system |
alert |
azure should not be used for custom workloads |
.metadata.namespace |
yes |
| 210 |
NS-002-2 |
ns-002-2-place-pod-in-kube-public |
alert |
azure should not be used for custom workloads |
.metadata.namespace |
yes |
| 13 |
NS-003 |
ensure that components in a Namespace are restricted to only the necessary |
alert |
Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. |
.metadata.namespace |
no |
| 14 |
NS-004 |
No owner for namespace affects the operations |
alert |
Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. |
.metadata.namespace |
no |
| 85 |
POD-002-1 |
pod-002-1-explicit-default-sa |
alert |
default ServiceAccount should never be used. Create a dedicated ServiceAccount when access to API server is needed when access to API server is needed. |
.spec.serviceAccountName |
yes |
| 86 |
POD-002-2 |
pod-002-2-no-sa-specified |
alert |
if no service account is specified it defaults to the default ServiceAccount, which should be avoided. Create a dedicated ServiceAccount without any permissions instead. |
.spec.serviceAccountName |
yes |
| 87 |
POD-003-1 |
pod-003-1-default-pod-and-sa |
alert |
relying on default on both pod and SA level leads to token being needlessly mounted |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 88 |
POD-003-2 |
pod-003-2-default-pod-automount-sa |
alert |
allowing automounting on SA leads to all pods without explicit setting to mount it automatically |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 89 |
POD-003-3 |
pod-003-3-default-pod-no-automount-sa |
pass |
disabling automounting at SA level will be the default for pods as well |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 90 |
POD-003-4 |
pod-003-4-automount-pod-default-sa |
alert |
enabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 91 |
POD-003-5 |
pod-003-5-automount-pod-and-sa |
alert |
enabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 92 |
POD-003-6 |
pod-003-6-automount-pod-no-automount-sa |
alert |
enabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 93 |
POD-003-7 |
pod-003-7-no-automount-pod-default-sa |
pass |
disabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 94 |
POD-003-8 |
pod-003-8-no-automount-pod-automount-sa |
pass |
disabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 95 |
POD-003-9 |
pod-003-9-no-automount-pod-and-sa |
pass |
disabling automounting at Pod level takes precedence over SA |
.spec.automountServiceAccountToken |
yes |
|
|
|
|
|
.automountServiceAccountToken |
|
| 3 |
POD-004 |
dont share service account between workloads |
alert |
|
.spec.serviceAccountName |
no |
| 4 |
POD-005 |
don't reference non-existing SA |
alert |
|
.spec.serviceAccountName |
no |
|
|
|
|
|
ServiceAccount.metadata.name |
|
| 102 |
POD-008-1 |
pod-008-1-use-no-hostpid |
pass |
The hostPID defaults to false and thus should be okay |
.spec.hostPID |
yes |
| 103 |
POD-008-2 |
pod-008-2-pod-has-hostpid-set |
alert |
Containers should be isolated from the host machine as much as possible. hostPID pods may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions |
.spec.hostPID |
yes |
| 104 |
POD-009-1 |
pod-009-1-use-no-hostipc |
pass |
The hostIPC defaults to false and thus should be okay |
.spec.hostIPC |
yes |
| 105 |
POD-009-2 |
pod-009-2-has-hostipc-set |
alert |
Containers should be isolated from the host machine as much as possible. hostIPC on pods may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions |
.spec.hostIPC |
yes |
| 106 |
POD-010-1 |
pod-010-1-use-no-hostnetwork |
pass |
The hostNetwork defaults to false and thus should be okay |
.spec.hostNetwork |
yes |
| 107 |
POD-010-2 |
pod-010-2-has-hostnetwork-set |
alert |
Containers should be isolated from the host machine as much as possible. |
.spec.hostNetwork |
yes |
| 108 |
POD-011 |
pod-011-uses-hostport |
alert |
When you bind a Pod to a hostPort, it limits the number of places the Pod can be scheduled, because each <hostIP, hostPort, protocol> combination must be unique. |
.spec.containers[].ports[].hostPort |
yes |
| 109 |
POD-012 |
pod-012-use-hostaliases-to-modify-pods--etc-hosts |
alert |
Managing /etc/hosts aliases can prevent Docker from modifying the file after a pod's containers have already been started |
.spec.hostAliases |
yes |
| 110 |
POD-013 |
pod-013-use-serviceaccount-field |
alert |
ServiceAccount field is deprecated, ServiceAccountName should be used instead |
.spec.serviceAccount |
yes |
| 111 |
POD-014 |
pod-014-no-apparmor-profile |
alert |
AppArmor can be configured for any application to reduce its potential attack surface and provide greater in-depth defense. |
.metadata.annotations |
yes |
|
|
|
|
|
.metadata.annotations.container.apparmor.security.beta.kubernetes.io.metadata.annotations[container.apparmor.security.beta.kubernetes.io] |
|
| 5 |
POD-015 |
enable Seccomp |
alert |
annotation can be either a pod annotation, or a container annotation |
.spec.serviceAccountName |
no |
|
|
|
|
|
ServiceAccount.metadata.name |
|
| 112 |
POD-016 |
pod-016-no-podsecuritycontext-defined |
alert |
not providing a podSecurityContext leads to the use of too permissive settings for the pod |
.spec.securityContext |
yes |
| 113 |
POD-017-1 |
pod-017-1-default-to-root-user |
alert |
Having neither runAsNonRoot nor runAsUser>1000 means a user has elevated privileges |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 114 |
POD-017-2 |
pod-017-2-use-runasnonroot-flag-on-pod |
pass |
Using runAsNonRoot is a viable alternative to runAsUser>1000 |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 115 |
POD-017-3 |
pod-017-3-runasnonroot-is-optional |
pass |
Using runAsNonRoot is a viable alternative to runAsUser>1000 |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 116 |
POD-017-4 |
pod-017-4-use-root-user-in-pod |
alert |
Having neither runAsNonRoot nor runAsUser>1000 means a user has elevated privileges |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 117 |
POD-017-5 |
pod-017-5-use-runasnonroot-flag-on-container |
pass |
Using runAsNonRoot is a viable alternative to runAsUser>1000 |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 118 |
POD-017-6 |
pod-017-6-runasnonroot-is-optional-on-container |
pass |
Using runAsNonRoot is a viable alternative to runAsUser>1000 |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 119 |
POD-017-7 |
pod-017-7-use-root-user-on-container |
alert |
Having neither runAsNonRoot nor runAsUser>1000 means a user has elevated privileges |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 120 |
POD-017-8 |
pod-017-8-set-runasnonroot-correctly-on-container |
pass |
runAsNonRoot setting on container takes precedence |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 121 |
POD-017-9 |
pod-017-9-set-runasnonroot-not-correctly-on-container |
alert |
runAsNonRoot setting on container takes precedence |
.spec.securityContext.runAsNonRoot |
yes |
|
|
|
|
|
.spec.securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
| 122 |
POD-018-1 |
pod-018-1-default-to-root-user |
alert |
Having neither runAsNonRoot nor runAsUser>1000 means a user has elevated privileges |
.spec.securityContext.runAsUser |
yes |
|
|
|
|
|
.spec.securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
| 123 |
POD-018-2 |
pod-018-2-use-uid-between-1k-10k-on-pod |
pass |
An UID above 1000 is enough to avoid running as a system user |
.spec.securityContext.runAsUser |
yes |
|
|
|
|
|
.spec.securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
| 124 |
POD-018-3 |
pod-018-3-use-uid-between-1k-10k-on-container |
pass |
An UID above 1000 is enough to avoid running as a system user |
.spec.securityContext.runAsUser |
yes |
|
|
|
|
|
.spec.securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
| 125 |
POD-018-4 |
pod-018-4-use-uid-set-in-container-takes-precedence |
pass |
in case of conflicting settings, the value on the container takes precedence |
.spec.securityContext.runAsUser |
yes |
|
|
|
|
|
.spec.securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
| 126 |
POD-018-5 |
pod-018-5-use-uid-set-in-container-takes-precedence |
alert |
in case of conflicting settings, the value on the container takes precedence |
.spec.securityContext.runAsUser |
yes |
|
|
|
|
|
.spec.securityContext.runAsNonRoot |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsUser |
|
|
|
|
|
|
.spec.containers[].securityContext.runAsNonRoot |
|
| 127 |
POD-019-1 |
pod-019-1-default-to-root-group |
alert |
by default GID 0 is used, which has elevated privileges |
.spec.securityContext.runAsGroup |
yes |
|
|
|
|
|
.spec.containers[].securityContext.runAsGroup |
|
| 128 |
POD-019-2 |
pod-019-2-use-gid-between-1k-10k-on-pod |
pass |
An GID above 1000 is enough to avoid running as a system user |
.spec.securityContext.runAsGroup |
yes |
|
|
|
|
|
.spec.containers[].securityContext.runAsGroup |
|
| 129 |
POD-019-3 |
pod-019-3-use-gid-between-1k-10k-on-container |
pass |
An GID above 1000 is enough to avoid running as a system user |
.spec.securityContext.runAsGroup |
yes |
|
|
|
|
|
.spec.containers[].securityContext.runAsGroup |
|
| 130 |
POD-019-4 |
pod-019-4-use-gid-set-in-container-takes-precedence |
pass |
in case of conflicting settings, the value on the container takes precedence |
.spec.securityContext.runAsGroup |
yes |
|
|
|
|
|
.spec.containers[].securityContext.runAsGroup |
|
| 131 |
POD-019-5 |
pod-019-5-use-gid-set-in-container-takes-precedence |
alert |
in case of conflicting settings, the value on the container takes precedence |
.spec.securityContext.runAsGroup |
yes |
|
|
|
|
|
.spec.containers[].securityContext.runAsGroup |
|
| 6 |
POD-020 |
fsGroup / supplementalGroups should be non-zero |
alert |
|
.spec.securityContext.fsGroup |
no |
|
|
|
|
|
.spec.securityContext.supplementalGroups[] |
|
| 132 |
POD-021-0 |
pod-021-0-using-sysctl-kernel.shm-rmid-forced |
alert |
Giving dangerous capabilities to a container increases the impact of a container compromise |
.spec.securityContext.sysctls[] |
yes |
| 133 |
POD-021-1 |
pod-021-1-using-sysctl-net.ipv4.tcp-keepalive-time |
alert |
Giving dangerous capabilities to a container increases the impact of a container compromise |
.spec.securityContext.sysctls[] |
yes |
| 134 |
POD-021-2 |
pod-021-2-using-sysctl-net.ipv4.tcp-keepalive-probes |
alert |
Giving dangerous capabilities to a container increases the impact of a container compromise |
.spec.securityContext.sysctls[] |
yes |
| 135 |
POD-022-1 |
pod-022-1-linux-is-not-hardened |
alert |
Not hardening a linux system can increase the impact of a compromise |
.metadata.annotations |
yes |
|
|
|
|
|
.metadata.annotations.container.apparmor.security.beta.kubernetes.io |
|
|
|
|
|
|
.metadata.annotations[container.apparmor.security.beta.kubernetes.io] |
|
|
|
|
|
|
.spec.securityContext.seccompProfile |
|
|
|
|
|
|
.spec.securityContext.seLinuxOptions |
|
|
|
|
|
|
.spec.containers[].securityContext.seccompProfile |
|
|
|
|
|
|
.spec.containers[].securityContext.seLinuxOptions |
|
| 136 |
POD-022-2 |
pod-022-2-one-approach-to-hardening-linux-is-enough |
pass |
Not hardening a linux system can increase the impact of a compromise |
.metadata.annotations |
yes |
|
|
|
|
|
.metadata.annotations.container.apparmor.security.beta.kubernetes.io |
|
|
|
|
|
|
.metadata.annotations[container.apparmor.security.beta.kubernetes.io] |
|
|
|
|
|
|
.spec.securityContext.seccompProfile |
|
|
|
|
|
|
.spec.securityContext.seLinuxOptions |
|
|
|
|
|
|
.spec.containers[].securityContext.seccompProfile |
|
|
|
|
|
|
.spec.containers[].securityContext.seLinuxOptions |
|
| 137 |
POD-022-3 |
pod-022-3-one-approach-to-hardening-linux-is-enough |
pass |
Not hardening a linux system can increase the impact of a compromise |
.metadata.annotations |
yes |
|
|
|
|
|
.metadata.annotations.container.apparmor.security.beta.kubernetes.io |
|
|
|
|
|
|
.metadata.annotations[container.apparmor.security.beta.kubernetes.io] |
|
|
|
|
|
|
.spec.securityContext.seccompProfile |
|
|
|
|
|
|
.spec.securityContext.seLinuxOptions |
|
|
|
|
|
|
.spec.containers[].securityContext.seccompProfile |
|
|
|
|
|
|
.spec.containers[].securityContext.seLinuxOptions |
|
| 138 |
POD-023 |
pod-023-no-seccomp-profile-defined |
alert |
not providing a seccomp profile allows a process more capabilities than necessary |
.metadata.annotations |
yes |
|
|
|
|
|
.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod |
|
|
|
|
|
|
.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod] |
|
|
|
|
|
|
.spec.securityContext.seccompProfile |
|
|
|
|
|
|
.spec.containers[].securityContext.seccompProfile |
|
| 139 |
POD-024-0 |
pod-024-0-usage-of-bin-bash-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 140 |
POD-024-1 |
pod-024-1-usage-of-sbin-sh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 141 |
POD-024-2 |
pod-024-2-usage-of-bin-ksh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 142 |
POD-024-3 |
pod-024-3-usage-of-bin-tcsh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 143 |
POD-024-4 |
pod-024-4-usage-of-bin-zsh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 144 |
POD-024-5 |
pod-024-5-usage-of-usr-bin-scsh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 145 |
POD-024-6 |
pod-024-6-usage-of-bin-csh-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 146 |
POD-024-7 |
pod-024-7-usage-of-bin-busybox-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 147 |
POD-024-8 |
pod-024-8-usage-of-usr-bin-busybox-in-container |
alert |
Attackers who can run a cmd/bash script inside a container can use it to execute malicious code |
.spec.containers[].command |
yes |
| 148 |
POD-025 |
pod-025-sensitive-key-referenced-in-environment-variable |
alert |
Attackers can retrieve and use sensitive information provided via environment variables |
.spec.containers[].env[].name |
yes |
| 8 |
POD-026 |
dont map privileged port into container |
alert |
|
.spec.containers[].ports.containerPort |
no |
| 7 |
POD-026 |
Check SSH server running inside container |
alert |
SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH. |
.spec.containers[].ports[].containerPort |
no |
| 9 |
POD-027 |
Container is running with multiple open ports |
alert |
Having too many open ports increases the attack surface of the application and the container |
.spec.containers[].ports[].containerPort |
no |
| 10 |
POD-028 |
don't use unsafe proc mounts |
alert |
|
.spec.containers[].securityContext.procMount |
no |
| 155 |
POD-030 |
pod-030-no-securitycontext-defined |
alert |
Not providing a securityContext leads to the use of too permissive settings for the containers |
.spec.containers[].securityContext |
yes |
| 156 |
POD-031-1 |
pod-031-1-allowed-privilege-escalation-by-default |
alert |
Avoid using the privileged flag, and if your container does need additional capabilities, add only the ones you need through the capabilities settings. |
.spec.containers[].securityContext.allowPrivilegeEscalation |
yes |
| 157 |
POD-031-2 |
pod-031-2-allowed-privilege-escalation-explicitly |
alert |
Avoid using the privileged flag, and if your container does need additional capabilities, add only the ones you need through the capabilities settings. |
.spec.containers[].securityContext.allowPrivilegeEscalation |
yes |
| 158 |
POD-032-1 |
pod-032-1-non-privileged-container-by-default |
pass |
Changing the privileged flag is optional as it defaults to False |
.spec.containers[].securityContext.privileged |
yes |
| 159 |
POD-032-2 |
pod-032-2-privileged-container |
alert |
Privileged containers can do almost every action that can be performed directly on the host. |
.spec.containers[].securityContext.privileged |
yes |
|
|
|
|
|
.spec.containers[].securityContext.allowPrivilegeEscalation |
|
| 160 |
POD-033-1 |
pod-033-1-root-fs-is-writeable-by-default |
alert |
Using an immutable root filesystem prevents against attackers from compromising the machine through permanent local changes. |
.spec.containers[].securityContext.readOnlyRootFilesystem |
yes |
| 161 |
POD-033-2 |
pod-033-2-root-fs-is-explicitly-writeable |
alert |
Using an immutable root filesystem prevents against attackers from compromising the machine through permanent local changes. |
.spec.containers[].securityContext.readOnlyRootFilesystem |
yes |
| 162 |
POD-034-1 |
pod-034-1-using-dangerous-capability-all |
alert |
Dangerous capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 163 |
POD-034-2 |
pod-034-2-using-dangerous-capability-sys-admin |
alert |
Dangerous capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 164 |
POD-034-3 |
pod-034-3-using-dangerous-capability-net-admin |
alert |
Dangerous capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 165 |
POD-035-1 |
pod-035-1-using-insecure-capability-audit-write |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 174 |
POD-035-10 |
pod-035-10-using-insecure-capability-mknod |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 175 |
POD-035-11 |
pod-035-11-using-insecure-capability-net-bind-service |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 176 |
POD-035-12 |
pod-035-12-using-insecure-capability-net-raw |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 177 |
POD-035-13 |
pod-035-13-using-insecure-capability-perfmon |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 178 |
POD-035-14 |
pod-035-14-using-insecure-capability-setfcap |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 179 |
POD-035-15 |
pod-035-15-using-insecure-capability-setgid |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 180 |
POD-035-16 |
pod-035-16-using-insecure-capability-setpcap |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 181 |
POD-035-17 |
pod-035-17-using-insecure-capability-setuid |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 182 |
POD-035-18 |
pod-035-18-using-insecure-capability-sys-boot |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 183 |
POD-035-19 |
pod-035-19-using-insecure-capability-sys-chroot |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 166 |
POD-035-2 |
pod-035-2-using-insecure-capability-bpf |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 184 |
POD-035-20 |
pod-035-20-using-insecure-capability-sys-module |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 185 |
POD-035-21 |
pod-035-21-using-insecure-capability-sys-rawio |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 186 |
POD-035-22 |
pod-035-22-using-insecure-capability-sys-ptrace |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 167 |
POD-035-3 |
pod-035-3-using-insecure-capability-chown |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 168 |
POD-035-4 |
pod-035-4-using-insecure-capability-dac-overrides |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 169 |
POD-035-5 |
pod-035-5-using-insecure-capability-fowner |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 170 |
POD-035-6 |
pod-035-6-using-insecure-capability-fsetid |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 171 |
POD-035-7 |
pod-035-7-using-insecure-capability-kill |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 172 |
POD-035-8 |
pod-035-8-using-insecure-capability-mac-override |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 173 |
POD-035-9 |
pod-035-9-using-insecure-capability-mac-admin |
alert |
Insecure capabilities can increase the impact of a container compromise |
.spec.containers[].securityContext.capabilities |
yes |
| 187 |
POD-036 |
pod-036-keep-default-capabilities |
alert |
When not dropping all capabilities the container gets the capabilities defined by the container runtime, which is often fairly generous and does not adhere to principle of least privilege |
.spec.containers[].securityContext.capabilities.drop |
yes |
| 200 |
POD-042-1 |
pod-042-1-volume-with-read-only-hostpath |
pass |
using hostPath is not ideal but can be tolerated when it's read-only |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 201 |
POD-042-2 |
pod-042-2-volume-with-writeable-hostpath |
alert |
Attackers can use a writable hostpath to gain persistence on underlying host system |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 202 |
POD-042-3 |
pod-042-3-volume-with-writeable-hostpath-by-default |
alert |
Attackers can use a writable hostpath to gain persistence on underlying host system |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 203 |
POD-043-1 |
pod-043-1-mount-azure-cloud-credentials |
alert |
Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands. |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 204 |
POD-044-1 |
pod-044-1-mounting-docker-socket |
alert |
Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands. |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 205 |
POD-044-2 |
pod-044-2-mounting-docker-directory |
alert |
mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands. |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 206 |
POD-045 |
pod-045-containing-cve-2021-25741 |
alert |
A user may be able to create a container with subPath or subPathExpr volume mounts to access files & directories anywhere on the host filesystem. Following Kubernetes versions are affected: v1.22.0-v1.22.1, v1.21.0-v1.21.4, v1.20.0-v1.20.10, <v1.19.14 |
.spec.volumes[] |
yes |
|
|
|
|
|
.spec.volumes[].hostPath |
|
|
|
|
|
|
.spec.volumes[].hostPath.path |
|
|
|
|
|
|
.spec.containers[].volumeMounts[] |
|
| 11 |
POD-047 |
Container is running with shared mount propagation |
alert |
Shared volumes can overwrite data on the host, and are considered dangerous. |
.spec.containers[].volumeMounts[].mountPropagation |
no |
| 12 |
POD-048 |
dont use disallowed volume types |
alert |
usage of non-ephemeral volume-types should be limited to those defined through PersistentVolumes |
.spec.volumes[] |
no |
| 9 |
PSA-001 |
psa-001-no-pod-security-admission-label-configured |
alert |
at least the baseline PodSecurity level should be used for the namespace |
Namespace.metadata.labels.pod-security.kubernetes.io |
yes |
| 10 |
PSA-002 |
psa-002-using-privileged-privilegedpodsecurity-level-is-insecur |
alert |
Privileged pod security level imposes no restrictions and may allow for known privilege escalations |
Namespace.metadata.labels.pod-security.kubernetes.io |
yes |
| 11 |
PSA-003 |
psa-003-just-warning-about-violations-of-the-pod-security-stand |
alert |
When only warnings for violations are generated insecure workloads can still be deployed |
Namespace.metadata.labels.pod-security.kubernetes.io |
yes |
| 12 |
RBAC-001-1 |
rbac-001-1-use-cluster-admin-role |
alert |
The role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed |
RoleBinding.roleRef.name |
yes |
|
|
|
|
|
ClusterRoleBinding.roleRef.name |
|
|
|
|
|
|
.roleRef.name |
|
| 44 |
RBAC-001-2 |
rbac-001-2-use-cluster-admin-role-cluster-wide |
alert |
The role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed |
RoleBinding.roleRef.name |
yes |
|
|
|
|
|
ClusterRoleBinding.roleRef.name |
|
|
|
|
|
|
.roleRef.name |
|
| 13 |
RBAC-002-1 |
rbac-002-1-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 14 |
RBAC-002-2 |
rbac-002-2-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 15 |
RBAC-002-3 |
rbac-002-3-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 45 |
RBAC-002-4 |
rbac-002-4-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 46 |
RBAC-002-5 |
rbac-002-5-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 47 |
RBAC-002-6 |
rbac-002-6-read-access-to-secrets |
alert |
Attackers who have permissions to retrieve the secrets can access sensitive information |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 16 |
RBAC-003-1 |
rbac-003-1-role-use-resource-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 48 |
RBAC-003-2 |
rbac-003-2-cluster-role-use-resource-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 17 |
RBAC-003-3 |
rbac-003-3-role-use-verb-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 49 |
RBAC-003-4 |
rbac-003-4-cluster-role-use-verb-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 18 |
RBAC-003-5 |
rbac-003-5-role-use-verb-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 50 |
RBAC-003-6 |
rbac-003-6-cluster-role-use-verb-wildcard |
alert |
Allowing wildcards violates principle of least privilege |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 19 |
RBAC-004-1 |
rbac-004-1-role-creates-pods |
alert |
The ability to create pods in a cluster opens up possibilities for privilege escalation |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
ClusterRole.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
| 51 |
RBAC-004-2 |
rbac-004-2-cluster-role-creates-pods |
alert |
The ability to create pods in a cluster opens up possibilities for privilege escalation |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
ClusterRole.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
| 20 |
RBAC-005-1 |
rbac-005-1-role-attaches-to-pods |
alert |
Allowing roles to attach to pods can be dangerous |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 52 |
RBAC-005-2 |
rbac-005-2-cluster-role-attaches-to-pods |
alert |
Allowing roles to attach to pods can be dangerous |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 21 |
RBAC-006-1 |
rbac-006-1-role-exec-into-pods |
alert |
Attackers can run malicious commands in containers in the cluster using exec command |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 53 |
RBAC-006-2 |
rbac-006-2-cluster-role-exec-into-pods |
alert |
Attackers can run malicious commands in containers in the cluster using exec command |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 22 |
RBAC-007-1 |
rbac-007-1-role-binds-default-serviceaccount |
alert |
the default servicaccount should never be actively used |
ClusterRoleBinding.subjects[].name |
yes |
|
|
|
|
|
RoleBinding.subjects[].name |
|
|
|
|
|
|
.subjects[].name |
|
| 54 |
RBAC-007-2 |
rbac-007-2-cluster-role-binds-default-serviceaccount |
alert |
the default servicaccount should never be actively used |
ClusterRoleBinding.subjects[].name |
yes |
|
|
|
|
|
RoleBinding.subjects[].name |
|
|
|
|
|
|
.subjects[].name |
|
| 23 |
RBAC-008-1 |
rbac-008-1-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 24 |
RBAC-008-2 |
rbac-008-2-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 25 |
RBAC-008-3 |
rbac-008-3-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 55 |
RBAC-008-4 |
rbac-008-4-cluster-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 56 |
RBAC-008-5 |
rbac-008-5-cluster-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 57 |
RBAC-008-6 |
rbac-008-6-cluster-role-port-forward-pods |
alert |
Attackers can open a backdoor communication channel directly to the sockets inside target container bypassing network security restrictions |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
.rules[].resources |
|
| 26 |
RBAC-009-1 |
rbac-009-1-role-impersonation |
alert |
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 58 |
RBAC-009-2 |
rbac-009-2-cluster-role-impersonation |
alert |
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 27 |
RBAC-010-1 |
rbac-010-1-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 28 |
RBAC-010-2 |
rbac-010-2-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 29 |
RBAC-010-3 |
rbac-010-3-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 30 |
RBAC-010-4 |
rbac-010-4-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 59 |
RBAC-010-5 |
rbac-010-5-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 60 |
RBAC-010-6 |
rbac-010-6-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 61 |
RBAC-010-7 |
rbac-010-7-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 62 |
RBAC-010-8 |
rbac-010-8-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 0 |
RBAC-011 |
minimize subjects per namespace |
alert |
Significant number of Subjects having access to a Namespace might be a potential security risk |
|
no |
| 35 |
RBAC-012-1 |
rbac-012-1-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 36 |
RBAC-012-2 |
rbac-012-2-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 37 |
RBAC-012-3 |
rbac-012-3-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 67 |
RBAC-012-4 |
rbac-012-4-cluster-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 68 |
RBAC-012-5 |
rbac-012-5-cluster-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 69 |
RBAC-012-6 |
rbac-012-6-cluster-role-info-disclosure |
alert |
Attackers can use disclosed information to plan their next steps |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 38 |
RBAC-013-1 |
rbac-013-1-role-destructive |
alert |
Attackers can use destructive permissions to destroy data and resources |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 39 |
RBAC-013-2 |
rbac-013-2-role-destructive |
alert |
Attackers can use destructive permissions to destroy data and resources |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 70 |
RBAC-013-3 |
rbac-013-3-cluster-role-destructive |
alert |
Attackers can use destructive permissions to destroy data and resources |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 71 |
RBAC-013-4 |
rbac-013-4-cluster-role-destructive |
alert |
Attackers can use destructive permissions to destroy data and resources |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 40 |
RBAC-014-1 |
rbac-014-1-role-event-deletion |
alert |
attackers may want to delete events in an attempt to avoid detection of their activity |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 41 |
RBAC-014-2 |
rbac-014-2-role-event-deletion |
alert |
attackers may want to delete events in an attempt to avoid detection of their activity |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 72 |
RBAC-014-3 |
rbac-014-3-cluster-role-event-deletion |
alert |
attackers may want to delete events in an attempt to avoid detection of their activity |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 73 |
RBAC-014-4 |
rbac-014-4-cluster-role-event-deletion |
alert |
attackers may want to delete events in an attempt to avoid detection of their activity |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 42 |
RBAC-015-1 |
rbac-015-1-role-core-dns-poisoning |
alert |
an attacker can poison the DNS server if he can modify configuration of the coreDNS server |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 43 |
RBAC-015-2 |
rbac-015-2-role-core-dns-poisoning |
alert |
an attacker can poison the DNS server if he can modify configuration of the coreDNS server |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 74 |
RBAC-015-3 |
rbac-015-3-cluster-role-core-dns-poisoning |
alert |
an attacker can poison the DNS server if he can modify configuration of the coreDNS server |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 75 |
RBAC-015-4 |
rbac-015-4-cluster-role-core-dns-poisoning |
alert |
an attacker can poison the DNS server if he can modify configuration of the coreDNS server |
ClusterRole.rules[].verbs |
yes |
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].verbs |
|
| 76 |
RBAC-016 |
rbac-016-serviceaccount-without-binding |
alert |
all service accounts should be bound to roles |
None |
yes |
| 77 |
RBAC-017 |
rbac-017-too-many-roles-per-subject |
alert |
|
None |
yes |
| 1 |
RBAC-018 |
Role that grant permissions to system reserved namespace |
alert |
A role was found that grants permission over system reserved namespace (either default or kube-system) |
|
no |
| 2 |
RBAC-019 |
Avoid use of system:masters group |
alert |
The system:masters group has unrestricted access to the Kubernetes API hard-coded into the API server source code. An authenticated user who is a member of this group cannot have their access reduced, even if all bindings and cluster role bindings which mention it, are removed. |
ClusterRole.rules[].verbs |
no |
|
|
|
|
|
Role.rules[].verbs |
|
| 31 |
RBAC-020-1 |
rbac-020-1-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 32 |
RBAC-020-2 |
rbac-020-2-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 33 |
RBAC-020-3 |
rbac-020-3-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 34 |
RBAC-020-4 |
rbac-020-4-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 63 |
RBAC-020-5 |
rbac-020-5-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 64 |
RBAC-020-6 |
rbac-020-6-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 65 |
RBAC-020-7 |
rbac-020-7-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 66 |
RBAC-020-8 |
rbac-020-8-cluster-role-manages-rbac |
alert |
Attackers can escalate privileges if they can update roles |
ClusterRole.rules[].resources |
yes |
|
|
|
|
|
ClusterRole.rules[].verbs |
|
|
|
|
|
|
Role.rules[].resources |
|
|
|
|
|
|
Role.rules[].verbs |
|
|
|
|
|
|
.rules[].resources |
|
|
|
|
|
|
.rules[].verbs |
|
| 100 |
REL-001 |
rel-001-no-readinessprobe |
alert |
Configuring a readinessProbe is recommended as it's intended to ensure that workload is ready to process network traffic |
.spec.containers[].readinessProbe |
yes |
| 101 |
REL-002 |
rel-002-no-livenessprobe |
alert |
Configuring a livenessProbe is recommended as it's intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restart the container. |
.spec.containers[].livenessProbe |
yes |
| 99 |
REL-003 |
rel-003-no-priorityclass |
alert |
Pods with high risk workloads can be assigned higher PriorityClasses to ensure reliability |
.spec.priorityClassName |
yes |
| 96 |
REL-004-1 |
rel-004-1-no-node-selection-specified |
alert |
Pods with high risk workloads can be assigned to specific node to separate them from other workloads |
.spec.nodeSelector |
yes |
|
|
|
|
|
.spec.affinity.nodeAffinity |
|
| 97 |
REL-004-2 |
rel-004-2-only-nodeaffinity-is-enough |
pass |
Pods with high risk workloads can be assigned to specific node to separate them from other workloads |
.spec.nodeSelector |
yes |
|
|
|
|
|
.spec.affinity.nodeAffinity |
|
| 98 |
REL-004-3 |
rel-004-3-only-nodeselector-is-enough |
pass |
Pods with high risk workloads can be assigned to specific node to separate them from other workloads |
.spec.nodeSelector |
yes |
|
|
|
|
|
.spec.affinity.nodeAffinity |
|
| 188 |
RES-001-1 |
res-001-1-default-memory-requests-from-namespace |
pass |
not setting default memory requests can lead to problems upon admission |
.spec.containers[].resources.requests.memory |
yes |
| 189 |
RES-001-2 |
res-001-2-no-memory-requests |
alert |
not setting memory requests can lead to problems upon admission |
.spec.containers[].resources.requests.memory |
yes |
| 190 |
RES-002-1 |
res-002-1-default-memory-limits-from-namespace |
pass |
not setting memory limit can lead to the pod suffocating the node by using all available memory |
.spec.containers[].resources.limits.memory |
yes |
| 191 |
RES-002-2 |
res-002-2-no-memory-limits |
alert |
not setting memory limit can lead to the pod suffocating the node by using all available memory |
.spec.containers[].resources.limits.memory |
yes |
| 192 |
RES-003-1 |
res-003-1-default-cpu-requests-from-namespace |
pass |
not setting default CPU requests can lead to problems upon admission |
.spec.containers[].resources.requests.cpu |
yes |
| 193 |
RES-003-2 |
res-003-2-no-cpu-requests |
alert |
not setting CPU requests can lead to problems upon admission |
.spec.containers[].resources.requests.cpu |
yes |
| 194 |
RES-004-1 |
res-004-1-default-cpu-limits-from-namespace |
pass |
not setting CPU limit can lead to the pod suffocating the node by using all available CPU |
.spec.containers[].resources.limits.cpu |
yes |
| 195 |
RES-004-2 |
res-004-2-no-cpu-limits |
alert |
not setting CPU limit can lead to the pod suffocating the node by using all available CPU |
.spec.containers[].resources.limits.cpu |
yes |
| 196 |
RES-005-1 |
res-005-1-default-ephemeral-storage-requests-from-namespace |
pass |
not setting ephemeral storarge limit can suffocate the node by using all available storage |
.spec.containers[].resources.requests.ephemeral-storage |
yes |
| 197 |
RES-005-2 |
res-005-2-no-ephemeral-storage-requests |
alert |
not setting ephemeral storage limit can suffocate the node by using all available CPU |
.spec.containers[].resources.requests.ephemeral-storage |
yes |
| 198 |
RES-006-1 |
res-006-1-default-ephemeral-storage-limits-from-namespace |
pass |
not setting ephemeral storarge limit can suffocate the node by using all available storage |
.spec.containers[].resources.limits.ephemeral-storage |
yes |
| 199 |
RES-006-2 |
res-006-2-no-ephemeral-storage-limits |
alert |
not setting ephemeral storage limit can suffocate the node by using all available CPU |
.spec.containers[].resources.limits.ephemeral-storage |
yes |
| 0 |
RES-007-0 |
res-007-0-no-limitrange-object-for-namespace |
alert |
|
LimitRange.metadata.namespace |
yes |
|
|
|
|
|
.metadata.namespace |
|
| 1 |
RES-007-1 |
res-007-1-no-default-cpu-request-for-namespace |
alert |
|
LimitRange.spec.limits.defaultRequest.cpu |
yes |
|
|
|
|
|
.spec.limits.defaultRequest.cpu |
|
| 2 |
RES-007-2 |
res-007-2-no-default-cpu-limits-for-namespace |
alert |
|
LimitRange.spec.limits.default.cpu |
yes |
|
|
|
|
|
.spec.limits.default.cpu |
|
| 3 |
RES-007-3 |
res-007-3-no-cpu-limits-for-namespace |
alert |
|
LimitRange.spec.limits.min.cpu |
yes |
|
|
|
|
|
LimitRange.spec.limits.max.cpu |
|
|
|
|
|
|
.spec.limits.min.cpu |
|
|
|
|
|
|
.spec.limits.max.cpu |
|
| 4 |
RES-008-1 |
res-008-1-no-default-memory-request-for-namespace |
alert |
|
LimitRange.spec.limits.defaultRequest.memory |
yes |
|
|
|
|
|
.spec.limits.defaultRequest.memory |
|
| 5 |
RES-008-2 |
res-008-2-no-default-memory-limits-for-namespace |
alert |
|
LimitRange.spec.limits.default.memory |
yes |
|
|
|
|
|
.spec.limits.default.memory |
|
| 6 |
RES-008-3 |
res-008-3-no-default-memory-limits-for-namespace |
alert |
|
LimitRange.spec.limits.min.memory |
yes |
|
|
|
|
|
LimitRange.spec.limits.max.memory |
|
|
|
|
|
|
.spec.limits.min.memory |
|
|
|
|
|
|
.spec.limits.max.memory |
|
| 7 |
RES-009-1 |
res-009-1-no-resource-quota-applied-to-namespace |
alert |
|
ResourceQuota.metadata.namespace |
yes |
|
|
|
|
|
.metadata.namespace |
|
| 8 |
RES-009-2 |
res-009-2-no-hard-quotas-defined-in-resourcequota-for-namespace |
alert |
|
ResourceQuota.spec.hard.cpu |
yes |
|
|
|
|
|
ResourceQuota.spec.hard.memory |
|
|
|
|
|
|
ResourceQuota.spec.hard.requests.cpu |
|
|
|
|
|
|
ResourceQuota.spec.hard.requests.memory |
|
|
|
|
|
|
ResourceQuota.spec.hard.pods |
|
|
|
|
|
|
.spec.hard.cpu |
|
|
|
|
|
|
.spec.hard.memory |
|
|
|
|
|
|
.spec.hard.requests.cpu |
|
|
|
|
|
|
.spec.hard.requests.memory |
|
|
|
|
|
|
.spec.hard.pods |
|
| 149 |
SC-001-1 |
sc-001-1-imagepullpolicy-defaults-to-always |
pass |
Kubernetes may run older version of the container images without user knowing about this |
.spec.containers[].imagePullPolicy |
yes |
| 150 |
SC-001-2 |
sc-001-2-no-proper-imagepullpolicy-set |
alert |
Kubernetes may run older version of the container images without user knowing about this |
.spec.containers[].imagePullPolicy |
yes |
| 151 |
SC-001-3 |
sc-001-3-no-proper-imagepullpolicy-set |
alert |
Kubernetes may run older version of the container images without user knowing about this |
.spec.containers[].imagePullPolicy |
yes |
| 152 |
SC-002-1 |
sc-002-1-tag-instead-of-digest-is-fine |
pass |
Specify an explicit tag or digest to have full control over the running container image |
.spec.containers[].image |
yes |
| 153 |
SC-002-2 |
sc-002-2-using-latest-image-tag |
alert |
When using latest image tag the used image can change without the user knowing about this |
.spec.containers[].image |
yes |
| 154 |
SC-002-3 |
sc-002-3-no-explicit-tag |
alert |
Kubernetes may run older version of the container images without user knowing about this |
.spec.containers[].image |
yes |
| 19 |
SC-003 |
configure image provenance using ImagePolicyWebhook admission controller |
alert |
As suggeded by CIS benchmark (5.5.1) |
|
no |
| 20 |
SC-004 |
Use trusted image registry |
alert |
Use trusted repo which scans images for known vulnerabilities and misconfigurations |
|
no |
| 17 |
SRV-001 |
ensure all services target a pod |
alert |
|
Service.spec.selector |
no |
| 18 |
SRV-002 |
don’t use NodePort |
alert |
NodePort services should be avoided as they are insecure, and can't be used together with NetworkPolicies.Exposing a NodePort will open a port on all nodes to be reached by the cluster's external network. Using this method to expose the application is less secure and forces you to create unnecessary coupling between services in order to expose them all to external traffic. |
Service.spec.type |
no |
|
|
|
|
|
Service.spec.ports[].nodePort |
|
| 84 |
WL-001 |
wl-001-naked-pod |
alert |
Pods shouldn't be deployed without a resource managing it |
.metadata.ownerReferences |
yes |
|
|
|
|
|
.kind |
|