What K8s plugins are supported for Kubernetes?

Our scanner detects a wide range of Kubernetes misconfigurations that may weaken the security of your environment. Below is the list of misconfigurations we check for:

K8s - Ensure Access Container Service Account
K8s - Ensure Access Kubernetes Dashboard
K8s - Ensure Allow Privilege Escalation Is Disabled In Securitycontext
K8s - Ensure Anonymous User Is Not Granted Rolebinding
K8s - Ensure Api Server Insecure Port Flag Is Set To Zero
K8s - Ensure Applications Credentials In Configuration Files
K8s - Ensure Apply Security Context To Your Pods And Containers
K8s - Ensure Audit Logs Enabled
K8s - Ensure System:Authenticated User Does Not Have Elevated Roles
K8s - Ensure Automatic Mapping Of Service Account Token Is Disabled
K8s - Ensure Avoidance Of System:Masters Group Usage
K8s - Bootstrap Token Authentication Should Not Be Used For Users
K8s - Client Certificate Authentication Should Not Be Used For Users
K8s - Ensure Cluster Access Manager Api For Enhanced Access Control In Eks Clusters
K8s - Ensure Administrative Roles
K8s - Ensure Cluster Internal Networking
K8s - Ensure Workload With Configmap Access
K8s - Ensure Configured Liveness Probe
K8s - Ensure Configured Readiness Probe
K8s - Configure Image Provenance Using Imagepolicywebhook Admission Controller
K8s - Ensure Consider External Secret Storage
K8s - Ensure Consider Fargate For Running Untrusted Workloads
K8s - Ensure Container Hostport
K8s - Ensure Container Runtime Socket Not Mounted
K8s - Ensure --Coredns Configmap Update Permissions Are Restricted
K8s - Ensure Administrative Boundaries Between Resources Using Namespaces
K8s - Ensure Usage Of Subpath Or Subpathexpr Volume Mounts Is Restricted
K8s - Ensure --Allow-Snippet-Annotations-Disabled In Nginx-Ingress-Controller
K8s - Ensure Linux Kernel Version Is Patched To Mitigate CVE-2022-0185 Vulnerability
K8s - Ensure Containerd Version Is Patched for CVE-2022-23648
K8s - Ensure CVE-2022-24348-Argocddirtraversal Control Checks For Linux Kernel Version On Node Objects
K8s - Ensure Aggregated-Api-Server-Redirect Cve-2022-3172 Is Mitigated
K8s - Ensure Grafana Authentication Bypass Vulnerability Is Mitigated
K8s - Ensure Kyverno Image Signature Verification Process Is Secure
K8s - Ensure Roles With Delete Capabilities
K8s - Ensure Delete Kubernetes Events
K8s - Ensure Disable Anonymous Access To Kubelet Service --Anonymous-Auth=False
K8s - Ensure Enable Audit Logs
K8s - Ensure Persistentvolume Without Encryption
K8s - Ensure Encrypt Traffic To Https Load Balancers With Tls Certificates
K8s - Ensure Enforce Kubelet Client TLS Authentication --Client-Ca-File Flag Is Set
K8s - Ensure Clusters Are Created With Private Endpoint Enabled And Public Access Disabled
K8s - Ensure Clusters Are Created With Private Nodes
K8s - Ensure CPU Limits Are Set
K8s - Ensure CPU Requests Are Configured
K8s - Ensure Image Vulnerability Scanning With Amazon ECR or Third Party Provider
K8s - Ensure Image Vulnerability Scanning With Azure Defender Or Third Party Provider
K8s - Ensure Kubernetes Secrets Are Encrypted
K8s - Ensure Memory Limits Are Set
K8s - Ensure Memory Requests Are Configured
K8s - Ensure Network Policy Is Enabled And Configured Correctly
K8s - Ensure All Namespaces Have Network Policies Defined
K8s - Ensure Minimal Audit Policy Creation
K8s - Ensure Unique Certificate Authority For Etcd
K8s - Ensure Default Service Accounts Are Not Actively Used
K8s - Ensure Encryption Providers Are Appropriately Configured
K8s - Ensure Service Account Tokens Are Disabled For Pods And Service Accounts
K8s - Ensure Admin.Conf File Ownership Is Set To Root:Root
K8s - Ensure Admin.Conf File Permissions Are Set To 600
K8s - Ensure --Enable-Admission-Plugins Argument Does Not Include Alwaysadmit
K8s - Ensure --Enable-Admission-Plugins Argument Includes Alwayspullimages
K8s - Ensure That The Admission Control Plugin Eventratelimit Is Configured
K8s - Ensure Admission Control Plugin Namespacelifecycle Is Configured
K8s - Ensure --Enable-Admission-Plugins Argument Includes Noderestriction
K8s - Ensure --Enable-Admission-Plugins Argument Includes Securitycontextdeny If Podsecuritypolicy Is Not Used
K8s - Ensure Serviceaccount Is Configured For Admission Control Plugin
K8s - Ensure That The --Anonymous-Auth Argument Is Set To False
K8s - Ensure That The Api Server --Anonymous-Auth Argument Is Set To False
K8s - Ensure That The Api Server --Audit-Log-Maxage Argument Is Set To 30 Or As Appropriate
K8s - Ensure --Audit-Log-Maxbackup Argument for the API Server is Set To 10 Or Appropriate
K8s - Ensure --Audit-Log-Maxsize Argument For The API Server Is Set To 100 Or Appropriate
K8s - Ensure That The Api Server --Audit-Log-Path Argument Is Configured
K8s - Ensure That The Api Server --Authorization-Mode Argument Includes Node
K8s - Ensure That The Api Server --Authorization-Mode Argument Includes Rbac
K8s - Ensure That The Api Server --Authorization-Mode Argument Is Not Set To Alwaysallow
K8s - Ensure That The Api Server --Client-Ca-File Argument Is Configured Properly
K8s - Ensure That The Api Server --Denyserviceexternalips Is Disabled
K8s - Ensure That The Api Server --Denyserviceexternalips Is Enabled
K8s - Ensure That The Api Server --Encryption-Provider-Config Argument Is Configured Properly
K8s - Ensure That The Api Server --Etcd-Cafile Argument Is Configured Correctly
K8s - Ensure That The Api Server --Etcd-Certfile And --Etcd-Keyfile Arguments Are Properly Configured
K8s - Ensure That The Api Server --Kubelet-Certificate-Authority Argument Is Configured
K8s - Ensure That The Api Server --Kubelet-Client-Certificate And --Kubelet-Client-Key Arguments Are Configured Correctly
K8s - Ensure Api Server Uses Strong Cryptographic Ciphers
K8s - Ensure Api Server Pod Specification File Ownership Is Set To Root:Root
K8s - Ensure Api Server Pod Specification File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure That The Api Server --Profiling Argument Is Disabled
K8s - Ensure That The Api Server --Request-Timeout Argument Is Configured Correctly
K8s - Ensure That The Api Server --Secure-Port Argument Is Configured Properly
K8s - Ensure That The Api Server --Service-Account-Key-File Argument Is Configured
K8s - Ensure That The Api Server --Service-Account-Lookup Argument Is Enabled
K8s - Ensure --Tls-Cert-File And --Tls-Private-Key-File Api ServerArguments Are Set As Appropriate
K8s - Ensure That The Api Server --Token-Auth-File Parameter Is Absent
K8s - Ensure Audit Policy Covers Key Security Concerns
K8s - Ensure That The --Authorization-Mode Argument Is Not Set To Alwaysallow
K8s - Ensure That The --Auto-Tls Argument Is Disabled
K8s - Ensure Cert-File And Key-File Arguments Are Properly Set
K8s - Ensure Certificate Authorities File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure --Client-Ca-File Argument Is Set to Enable Kubelet Certificate Authentication
K8s - Ensure That The --Client-Cert-Auth Argument Is Enabled
K8s - Ensure Client Certificate Authorities File Ownership Is Set To Root:Root
K8s - Ensure Cluster-Admin Role Is Appropriately Assigned
K8s - Ensure Cluster Has Active Policy Control Mechanism
K8s - Ensure Cni Plugin Supports Network Policies
K8s - Ensure Container Network Interface File Ownership Is Set To Root:Root
K8s - Ensure Container Network Interface File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Controller Manager --Bind-Address Argument Is Set To 127.0.0.1
K8s - Ensure Controller-Manager.Conf File Ownership Is Set To Root:Root
K8s - Ensure Controller-Manager.Conf File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Controller Manager Pod Specification File Ownership Is Set To Root:Root
K8s - Ensure Controller Manager Pod Specification File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Controller Manager --Profiling Argument Is Disabled
K8s - Ensure Controller Manager --Root-Ca-File Argument Is Configured
K8s - Ensure Controller Manager Rotatekubeletservercertificate Argument Is Enabled
K8s - Ensure Controller Manager --Service-Account-Private-Key-File Argument Is Configured
K8s - Ensure Controller Manager --Terminated-Pod-Gc-Threshold Argument Is Set Appropriately
K8s - Ensure That The Controller Manager --Use-Service-Account-Credentials Argument Is Enabled
K8s - Ensure Etcd Data Directory Ownership Is Set To Etcd:Etcd
K8s - Ensure Etcd Data Directory Permissions Are Set To 700 Or More Restrictive
K8s - Ensure That The Etcd Pod Specification File Ownership Is Set To Root:Root
K8s - Ensure Etcd Pod Specification File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure That The --Event-Qps Argument Is Configured Appropriately
K8s - Ensure That The --Hostname-Override Argument Is Absent
K8s - Ensure Kubeconfig File Permissions Are Set To 644 Or More Restrictive
K8s - Ensure That The --Kubeconfig Kubelet.Conf File Ownership Is Set To Root:Root
K8s - Ensure --Kubeconfig Kubelet.Conf File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure That The Kubelet Configuration File Has Permissions Set To 644 Or More Restrictive
K8s - Ensure Kubelet Limits Pod Pids
K8s - Ensure Kubelet Uses Strong Cryptographic Ciphers
K8s - Ensure Kubelet Service File Ownership Is Set To Root:Root
K8s - Ensure Kubelet Service File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Kubernetes Pki Certificate File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Kubernetes Pki Directory And File Ownership Is Set To Root:Root
K8s - Ensure Kubernetes Pki Key File Permissions Are Set To 600
K8s - Ensure That The --Make-Iptables-Util-Chains Argument Is Enabled
K8s - Ensure That The --Peer-Auto-Tls Argument Is Disabled
K8s - Ensure That The --Peer-Cert-File And --Peer-Key-File Arguments Are Properly Set
K8s - Ensure That The --Peer-Client-Cert-Auth Argument Is Enabled
K8s - Ensure --Protect-Kernel-Defaults Argument Is Set To True
K8s - Ensure Rotate Certificates Argument Is Enabled
K8s - Ensure That The Scheduler --Bind-Address Argument Is Set To 127.0.0.1
K8s - Ensure Scheduler.Conf File Ownership Is Set To Root:Root
K8s - Ensure Scheduler.Conf File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure Scheduler Pod Specification File Ownership Is Set To Root:Root
K8s - Ensure Scheduler Pod Specification File Permissions Are Set To 600 Or More Restrictive
K8s - Ensure That The Scheduler --Profiling Argument Is Disabled
K8s - Ensure Seccomp Profile Is Set To Docker/Default In Pod Definitions
K8s - Ensure That The --Streaming-Connection-Idle-Timeout Argument Is Configured Properly
K8s - Ensure That The --Tls-Cert-File And --Tls-Private-Key-File Arguments Are Properly Set
K8s - Ensure Prevent Containers From Allowing Command Execution
K8s - Ensure Exposed Sensitive Interfaces
K8s - Ensure External Facing Workloads Not Exposed On Internet
K8s - Ensure Forbidden Container Registries
K8s - Ensure Exposure To Internet Via Gateway Api Or Istio Ingress
K8s - Ensure Check If Signature Exists
K8s - Ensure Hostile Multi-Tenant Workloads Are Mitigated
K8s - Ensure Hostnetwork Access
K8s - Ensure Hostpath Mount
K8s - Ensure Host Pid/Ipc Privileges
K8s - Ensure Ownership Of Proxy Kubeconfig File Is Set To Root:Root
K8s - Ensure Proxy Kubeconfig File Permissions Set To 600 Or More Restrictive
K8s - Ensure --Config Argument File Ownership Is Set To Root:Root
K8s - Ensure Kubelet Config.Yaml Configuration File Permissions Set To 600 Or More Restrictive
K8s - Ensure Image Pull Policy On Latest Tag
K8s - Ensure Images From Allowed Registry
K8s - Ensure Immutable Container Filesystem -- Check Readonlyrootfilesystem Field In Securitycontext Is Set To True
K8s - Ensure Ingress And Egress Policies Defined For Pods Or Namespaces
K8s - Ensure Insecure Capabilities
K8s - Ensure Instance Metadata Api Is Disabled
K8s - Ensure K8S Common Labels Usage
K8s - Ensure Kubernetes Cronjob Approval
K8s - Ensure Label Usage For Resources
K8s - Ensure Limit Use Of The Bind, Impersonate, and Escalate Permissions In The Kubernetes Cluster
K8s - Ensure Linux Hardening Is Enabled In Securitycontext
K8s - Ensure List Kubernetes Secrets
K8s - Ensure Validate Admission Controller (Mutating) --C-0039
K8s - Ensure Validate Admission Controller (Validating)
K8s - Ensure Manage Kubernetes Rbac Users With Aws Iam Authenticator For Kubernetes Or Upgrade To Aws Cli V1.16.156
K8s - Ensure Minimize Access To Webhook Configuration Objects
K8s - Ensure Minimize Access To The Approval Sub-Resource Of Certificatesigningrequests Objects
K8s - Ensure Minimize Access To Create Pods
K8s - Ensure Minimize Access To Create Persistent Volumes
K8s - Ensure Minimize Access To The Proxy Sub-Resource Of Nodes
K8s - Ensure Minimize Access To Secrets
K8s - Ensure Minimize Access To The Service Account Token Creation
K8s - Ensure Minimize Cluster Access To Read-Only For Amazon ECR
K8s - Ensure Minimized Cluster Access To Read-Only For Azure Container Registry (ACR)
K8s - Ensure Minimization Of Containers Using Hostports
K8s - Ensure Minimize The Admission Of Containers With Host Ipc Namespace Sharing
K8s - Ensure Minimize The Admission Of Containers Sharing Host Network Namespace
K8s - Ensure Minimize The Admission Of Containers With Hostpid Flag Set To True
K8s - Ensure Minimize The Admission Of Containers With Added Capabilities
K8s - Ensure Minimize The Admission Of Containers With Allowprivilegeescalation
K8s - Ensure Minimize The Admission Of Containers With Capabilities Assigned
K8s - Ensure Minimization Of Containers With The Net_Raw Capability
K8s - Ensure Minimize The Admission Of Hostpath Volumes
K8s - Ensure Minimize The Admission Of Privileged Containers
K8s - Ensure Minimized Admission Of Root Containers
K8s - Ensure Minimized Admission Of Windows Hostprocess Containers
K8s - Ensure Minimize User Access To Amazon ECRs
K8s - Ensure Minimize User Access To Azure Container Registry (ACR)
K8s - Ensure Minimize Wildcard Use In Roles And Clusterroles
K8s - Ensure Missing Network Policy
K8s - Ensure Mount Service Principal
K8s - Ensure Naked Pods
K8s - Ensure Network Mapping -- Check For Network Policies
K8s - Ensure Api Server Uses Strong Cryptographic Ciphers
K8s - Ensure No Impersonation
K8s - Ensure Non-Root Containers
K8s - Ensure Outdated Kubernetes Version
K8s - Ensure Pods In Default Namespace
K8s - Ensure Portforwarding Privileges
K8s - Ensure Prefer Using A Container-Optimized Os When Possible
K8s - Ensure Prefer Using Dedicated AKS service Accounts
K8s - Ensure Prefer Using Dedicated EKS Service Accounts
K8s - Ensure Prefer Using Secrets As Files Over Secrets As Environment Variables
K8s - Ensure Privileged Container
K8s - Ensure Pod Security Policies (PSP) Enabled
K8s - Ensure Workload With Persistent Volume Claim (PVC) Access
K8s - Ensure RBAC Enabled
K8s - Ensure Deprecated Kubernetes Image Registry
K8s - Ensure Resource Limits For CPU and Memory Are Set In Containers
K8s - Ensure Resources Cpu Limit And Request
K8s - Ensure Memory Resource Limits And Requests Are Configured Correctly
K8s - Ensure Restrict Access To The Control Plane Endpoint
K8s - Ensure Restrict Untrusted Workloads With Aci And Aks Integration
K8s - Ensure Serviceaccount Token Not Automatically Mounted
K8s - Ensure Secret/Etcd Encryption Enabled -- Cloud Provider Integration
K8s - Service Account Token Authentication Should Not Be Used For Users
K8s - Ensure SSH Server Not Running Inside Container
K8s - Ensure Sudo In Container Entrypoint
K8s - Ensure Default Namespace Usage Is Restricted
K8s - Ensure Ingress Uses TLS
K8s - Ensure Authenticated Service
K8s - Ensure Use Azure RBAC for Kubernetes Authorization
K8s - Ensure Verify Image Signature With --Trustedcosignpublickeys Argument
K8s - Ensure Read-Only Port Argument Is Set To 0
K8s - Ensure Rotatekubeletservercertificate Argument Is Set To True
K8s - Ensure Workloads With Critical Vulnerabilities Exposed To External Traffic
K8s - Ensure Workloads With Excessive Amount Of Vulnerabilities
K8s - Ensure Workloads With Rce Vulnerabilities Exposed To External Traffic
K8s - Ensure Workload With Administrative Roles
K8s - Ensure Workload With Cluster Takeover Roles
K8s - Ensure Workload With Credential Access
K8s - Ensure Workload With Secret Access
K8s - Ensure Writable Hostpath Mount