Our scanner detects a wide range of Kubernetes misconfigurations that may weaken the security of your environment. Below is the list of misconfigurations we check for:
- K8s - Ensure Access Container Service Account
- K8s - Ensure Access Kubernetes Dashboard
- K8s - Ensure Allow Privilege Escalation Is Disabled In Securitycontext
- K8s - Ensure Anonymous User Is Not Granted Rolebinding
- K8s - Ensure Api Server Insecure Port Flag Is Set To Zero
- K8s - Ensure Applications Credentials In Configuration Files
- K8s - Ensure Apply Security Context To Your Pods And Containers
- K8s - Ensure Audit Logs Enabled
- K8s - Ensure System:Authenticated User Does Not Have Elevated Roles
- K8s - Ensure Automatic Mapping Of Service Account Token Is Disabled
- K8s - Ensure Avoidance Of System:Masters Group Usage
- K8s - Bootstrap Token Authentication Should Not Be Used For Users
- K8s - Client Certificate Authentication Should Not Be Used For Users
- K8s - Ensure Cluster Access Manager Api For Enhanced Access Control In Eks Clusters
- K8s - Ensure Administrative Roles
- K8s - Ensure Cluster Internal Networking
- K8s - Ensure Workload With Configmap Access
- K8s - Ensure Configured Liveness Probe
- K8s - Ensure Configured Readiness Probe
- K8s - Configure Image Provenance Using Imagepolicywebhook Admission Controller
- K8s - Ensure Consider External Secret Storage
- K8s - Ensure Consider Fargate For Running Untrusted Workloads
- K8s - Ensure Container Hostport
- K8s - Ensure Container Runtime Socket Not Mounted
- K8s - Ensure --Coredns Configmap Update Permissions Are Restricted
- K8s - Ensure Administrative Boundaries Between Resources Using Namespaces
- K8s - Ensure Usage Of Subpath Or Subpathexpr Volume Mounts Is Restricted
- K8s - Ensure --Allow-Snippet-Annotations-Disabled In Nginx-Ingress-Controller
- K8s - Ensure Linux Kernel Version Is Patched To Mitigate CVE-2022-0185 Vulnerability
- K8s - Ensure Containerd Version Is Patched for CVE-2022-23648
- K8s - Ensure CVE-2022-24348-Argocddirtraversal Control Checks For Linux Kernel Version On Node Objects
- K8s - Ensure Aggregated-Api-Server-Redirect Cve-2022-3172 Is Mitigated
- K8s - Ensure Grafana Authentication Bypass Vulnerability Is Mitigated
- K8s - Ensure Kyverno Image Signature Verification Process Is Secure
- K8s - Ensure Roles With Delete Capabilities
- K8s - Ensure Delete Kubernetes Events
- K8s - Ensure Disable Anonymous Access To Kubelet Service --Anonymous-Auth=False
- K8s - Ensure Enable Audit Logs
- K8s - Ensure Persistentvolume Without Encryption
- K8s - Ensure Encrypt Traffic To Https Load Balancers With Tls Certificates
- K8s - Ensure Enforce Kubelet Client TLS Authentication --Client-Ca-File Flag Is Set
- K8s - Ensure Clusters Are Created With Private Endpoint Enabled And Public Access Disabled
- K8s - Ensure Clusters Are Created With Private Nodes
- K8s - Ensure CPU Limits Are Set
- K8s - Ensure CPU Requests Are Configured
- K8s - Ensure Image Vulnerability Scanning With Amazon ECR or Third Party Provider
- K8s - Ensure Image Vulnerability Scanning With Azure Defender Or Third Party Provider
- K8s - Ensure Kubernetes Secrets Are Encrypted
- K8s - Ensure Memory Limits Are Set
- K8s - Ensure Memory Requests Are Configured
- K8s - Ensure Network Policy Is Enabled And Configured Correctly
- K8s - Ensure All Namespaces Have Network Policies Defined
- K8s - Ensure Minimal Audit Policy Creation
- K8s - Ensure Unique Certificate Authority For Etcd
- K8s - Ensure Default Service Accounts Are Not Actively Used
- K8s - Ensure Encryption Providers Are Appropriately Configured
- K8s - Ensure Service Account Tokens Are Disabled For Pods And Service Accounts
- K8s - Ensure Admin.Conf File Ownership Is Set To Root:Root
- K8s - Ensure Admin.Conf File Permissions Are Set To 600
- K8s - Ensure --Enable-Admission-Plugins Argument Does Not Include Alwaysadmit
- K8s - Ensure --Enable-Admission-Plugins Argument Includes Alwayspullimages
- K8s - Ensure That The Admission Control Plugin Eventratelimit Is Configured
- K8s - Ensure Admission Control Plugin Namespacelifecycle Is Configured
- K8s - Ensure --Enable-Admission-Plugins Argument Includes Noderestriction
- K8s - Ensure --Enable-Admission-Plugins Argument Includes Securitycontextdeny If Podsecuritypolicy Is Not Used
- K8s - Ensure Serviceaccount Is Configured For Admission Control Plugin
- K8s - Ensure That The --Anonymous-Auth Argument Is Set To False
- K8s - Ensure That The Api Server --Anonymous-Auth Argument Is Set To False
- K8s - Ensure That The Api Server --Audit-Log-Maxage Argument Is Set To 30 Or As Appropriate
- K8s - Ensure --Audit-Log-Maxbackup Argument for the API Server is Set To 10 Or Appropriate
- K8s - Ensure --Audit-Log-Maxsize Argument For The API Server Is Set To 100 Or Appropriate
- K8s - Ensure That The Api Server --Audit-Log-Path Argument Is Configured
- K8s - Ensure That The Api Server --Authorization-Mode Argument Includes Node
- K8s - Ensure That The Api Server --Authorization-Mode Argument Includes Rbac
- K8s - Ensure That The Api Server --Authorization-Mode Argument Is Not Set To Alwaysallow
- K8s - Ensure That The Api Server --Client-Ca-File Argument Is Configured Properly
- K8s - Ensure That The Api Server --Denyserviceexternalips Is Disabled
- K8s - Ensure That The Api Server --Denyserviceexternalips Is Enabled
- K8s - Ensure That The Api Server --Encryption-Provider-Config Argument Is Configured Properly
- K8s - Ensure That The Api Server --Etcd-Cafile Argument Is Configured Correctly
- K8s - Ensure That The Api Server --Etcd-Certfile And --Etcd-Keyfile Arguments Are Properly Configured
- K8s - Ensure That The Api Server --Kubelet-Certificate-Authority Argument Is Configured
- K8s - Ensure That The Api Server --Kubelet-Client-Certificate And --Kubelet-Client-Key Arguments Are Configured Correctly
- K8s - Ensure Api Server Uses Strong Cryptographic Ciphers
- K8s - Ensure Api Server Pod Specification File Ownership Is Set To Root:Root
- K8s - Ensure Api Server Pod Specification File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure That The Api Server --Profiling Argument Is Disabled
- K8s - Ensure That The Api Server --Request-Timeout Argument Is Configured Correctly
- K8s - Ensure That The Api Server --Secure-Port Argument Is Configured Properly
- K8s - Ensure That The Api Server --Service-Account-Key-File Argument Is Configured
- K8s - Ensure That The Api Server --Service-Account-Lookup Argument Is Enabled
- K8s - Ensure --Tls-Cert-File And --Tls-Private-Key-File Api ServerArguments Are Set As Appropriate
- K8s - Ensure That The Api Server --Token-Auth-File Parameter Is Absent
- K8s - Ensure Audit Policy Covers Key Security Concerns
- K8s - Ensure That The --Authorization-Mode Argument Is Not Set To Alwaysallow
- K8s - Ensure That The --Auto-Tls Argument Is Disabled
- K8s - Ensure Cert-File And Key-File Arguments Are Properly Set
- K8s - Ensure Certificate Authorities File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure --Client-Ca-File Argument Is Set to Enable Kubelet Certificate Authentication
- K8s - Ensure That The --Client-Cert-Auth Argument Is Enabled
- K8s - Ensure Client Certificate Authorities File Ownership Is Set To Root:Root
- K8s - Ensure Cluster-Admin Role Is Appropriately Assigned
- K8s - Ensure Cluster Has Active Policy Control Mechanism
- K8s - Ensure Cni Plugin Supports Network Policies
- K8s - Ensure Container Network Interface File Ownership Is Set To Root:Root
- K8s - Ensure Container Network Interface File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Controller Manager --Bind-Address Argument Is Set To 127.0.0.1
- K8s - Ensure Controller-Manager.Conf File Ownership Is Set To Root:Root
- K8s - Ensure Controller-Manager.Conf File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Controller Manager Pod Specification File Ownership Is Set To Root:Root
- K8s - Ensure Controller Manager Pod Specification File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Controller Manager --Profiling Argument Is Disabled
- K8s - Ensure Controller Manager --Root-Ca-File Argument Is Configured
- K8s - Ensure Controller Manager Rotatekubeletservercertificate Argument Is Enabled
- K8s - Ensure Controller Manager --Service-Account-Private-Key-File Argument Is Configured
- K8s - Ensure Controller Manager --Terminated-Pod-Gc-Threshold Argument Is Set Appropriately
- K8s - Ensure That The Controller Manager --Use-Service-Account-Credentials Argument Is Enabled
- K8s - Ensure Etcd Data Directory Ownership Is Set To Etcd:Etcd
- K8s - Ensure Etcd Data Directory Permissions Are Set To 700 Or More Restrictive
- K8s - Ensure That The Etcd Pod Specification File Ownership Is Set To Root:Root
- K8s - Ensure Etcd Pod Specification File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure That The --Event-Qps Argument Is Configured Appropriately
- K8s - Ensure That The --Hostname-Override Argument Is Absent
- K8s - Ensure Kubeconfig File Permissions Are Set To 644 Or More Restrictive
- K8s - Ensure That The --Kubeconfig Kubelet.Conf File Ownership Is Set To Root:Root
- K8s - Ensure --Kubeconfig Kubelet.Conf File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure That The Kubelet Configuration File Has Permissions Set To 644 Or More Restrictive
- K8s - Ensure Kubelet Limits Pod Pids
- K8s - Ensure Kubelet Uses Strong Cryptographic Ciphers
- K8s - Ensure Kubelet Service File Ownership Is Set To Root:Root
- K8s - Ensure Kubelet Service File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Kubernetes Pki Certificate File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Kubernetes Pki Directory And File Ownership Is Set To Root:Root
- K8s - Ensure Kubernetes Pki Key File Permissions Are Set To 600
- K8s - Ensure That The --Make-Iptables-Util-Chains Argument Is Enabled
- K8s - Ensure That The --Peer-Auto-Tls Argument Is Disabled
- K8s - Ensure That The --Peer-Cert-File And --Peer-Key-File Arguments Are Properly Set
- K8s - Ensure That The --Peer-Client-Cert-Auth Argument Is Enabled
- K8s - Ensure --Protect-Kernel-Defaults Argument Is Set To True
- K8s - Ensure Rotate Certificates Argument Is Enabled
- K8s - Ensure That The Scheduler --Bind-Address Argument Is Set To 127.0.0.1
- K8s - Ensure Scheduler.Conf File Ownership Is Set To Root:Root
- K8s - Ensure Scheduler.Conf File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure Scheduler Pod Specification File Ownership Is Set To Root:Root
- K8s - Ensure Scheduler Pod Specification File Permissions Are Set To 600 Or More Restrictive
- K8s - Ensure That The Scheduler --Profiling Argument Is Disabled
- K8s - Ensure Seccomp Profile Is Set To Docker/Default In Pod Definitions
- K8s - Ensure That The --Streaming-Connection-Idle-Timeout Argument Is Configured Properly
- K8s - Ensure That The --Tls-Cert-File And --Tls-Private-Key-File Arguments Are Properly Set
- K8s - Ensure Prevent Containers From Allowing Command Execution
- K8s - Ensure Exposed Sensitive Interfaces
- K8s - Ensure External Facing Workloads Not Exposed On Internet
- K8s - Ensure Forbidden Container Registries
- K8s - Ensure Exposure To Internet Via Gateway Api Or Istio Ingress
- K8s - Ensure Check If Signature Exists
- K8s - Ensure Hostile Multi-Tenant Workloads Are Mitigated
- K8s - Ensure Hostnetwork Access
- K8s - Ensure Hostpath Mount
- K8s - Ensure Host Pid/Ipc Privileges
- K8s - Ensure Ownership Of Proxy Kubeconfig File Is Set To Root:Root
- K8s - Ensure Proxy Kubeconfig File Permissions Set To 600 Or More Restrictive
- K8s - Ensure --Config Argument File Ownership Is Set To Root:Root
- K8s - Ensure Kubelet Config.Yaml Configuration File Permissions Set To 600 Or More Restrictive
- K8s - Ensure Image Pull Policy On Latest Tag
- K8s - Ensure Images From Allowed Registry
- K8s - Ensure Immutable Container Filesystem -- Check Readonlyrootfilesystem Field In Securitycontext Is Set To True
- K8s - Ensure Ingress And Egress Policies Defined For Pods Or Namespaces
- K8s - Ensure Insecure Capabilities
- K8s - Ensure Instance Metadata Api Is Disabled
- K8s - Ensure K8S Common Labels Usage
- K8s - Ensure Kubernetes Cronjob Approval
- K8s - Ensure Label Usage For Resources
- K8s - Ensure Limit Use Of The Bind, Impersonate, and Escalate Permissions In The Kubernetes Cluster
- K8s - Ensure Linux Hardening Is Enabled In Securitycontext
- K8s - Ensure List Kubernetes Secrets
- K8s - Ensure Validate Admission Controller (Mutating) --C-0039
- K8s - Ensure Validate Admission Controller (Validating)
- K8s - Ensure Manage Kubernetes Rbac Users With Aws Iam Authenticator For Kubernetes Or Upgrade To Aws Cli V1.16.156
- K8s - Ensure Minimize Access To Webhook Configuration Objects
- K8s - Ensure Minimize Access To The Approval Sub-Resource Of Certificatesigningrequests Objects
- K8s - Ensure Minimize Access To Create Pods
- K8s - Ensure Minimize Access To Create Persistent Volumes
- K8s - Ensure Minimize Access To The Proxy Sub-Resource Of Nodes
- K8s - Ensure Minimize Access To Secrets
- K8s - Ensure Minimize Access To The Service Account Token Creation
- K8s - Ensure Minimize Cluster Access To Read-Only For Amazon ECR
- K8s - Ensure Minimized Cluster Access To Read-Only For Azure Container Registry (ACR)
- K8s - Ensure Minimization Of Containers Using Hostports
- K8s - Ensure Minimize The Admission Of Containers With Host Ipc Namespace Sharing
- K8s - Ensure Minimize The Admission Of Containers Sharing Host Network Namespace
- K8s - Ensure Minimize The Admission Of Containers With Hostpid Flag Set To True
- K8s - Ensure Minimize The Admission Of Containers With Added Capabilities
- K8s - Ensure Minimize The Admission Of Containers With Allowprivilegeescalation
- K8s - Ensure Minimize The Admission Of Containers With Capabilities Assigned
- K8s - Ensure Minimization Of Containers With The Net_Raw Capability
- K8s - Ensure Minimize The Admission Of Hostpath Volumes
- K8s - Ensure Minimize The Admission Of Privileged Containers
- K8s - Ensure Minimized Admission Of Root Containers
- K8s - Ensure Minimized Admission Of Windows Hostprocess Containers
- K8s - Ensure Minimize User Access To Amazon ECRs
- K8s - Ensure Minimize User Access To Azure Container Registry (ACR)
- K8s - Ensure Minimize Wildcard Use In Roles And Clusterroles
- K8s - Ensure Missing Network Policy
- K8s - Ensure Mount Service Principal
- K8s - Ensure Naked Pods
- K8s - Ensure Network Mapping -- Check For Network Policies
- K8s - Ensure Api Server Uses Strong Cryptographic Ciphers
- K8s - Ensure No Impersonation
- K8s - Ensure Non-Root Containers
- K8s - Ensure Outdated Kubernetes Version
- K8s - Ensure Pods In Default Namespace
- K8s - Ensure Portforwarding Privileges
- K8s - Ensure Prefer Using A Container-Optimized Os When Possible
- K8s - Ensure Prefer Using Dedicated AKS service Accounts
- K8s - Ensure Prefer Using Dedicated EKS Service Accounts
- K8s - Ensure Prefer Using Secrets As Files Over Secrets As Environment Variables
- K8s - Ensure Privileged Container
- K8s - Ensure Pod Security Policies (PSP) Enabled
- K8s - Ensure Workload With Persistent Volume Claim (PVC) Access
- K8s - Ensure RBAC Enabled
- K8s - Ensure Deprecated Kubernetes Image Registry
- K8s - Ensure Resource Limits For CPU and Memory Are Set In Containers
- K8s - Ensure Resources Cpu Limit And Request
- K8s - Ensure Memory Resource Limits And Requests Are Configured Correctly
- K8s - Ensure Restrict Access To The Control Plane Endpoint
- K8s - Ensure Restrict Untrusted Workloads With Aci And Aks Integration
- K8s - Ensure Serviceaccount Token Not Automatically Mounted
- K8s - Ensure Secret/Etcd Encryption Enabled -- Cloud Provider Integration
- K8s - Service Account Token Authentication Should Not Be Used For Users
- K8s - Ensure SSH Server Not Running Inside Container
- K8s - Ensure Sudo In Container Entrypoint
- K8s - Ensure Default Namespace Usage Is Restricted
- K8s - Ensure Ingress Uses TLS
- K8s - Ensure Authenticated Service
- K8s - Ensure Use Azure RBAC for Kubernetes Authorization
- K8s - Ensure Verify Image Signature With --Trustedcosignpublickeys Argument
- K8s - Ensure Read-Only Port Argument Is Set To 0
- K8s - Ensure Rotatekubeletservercertificate Argument Is Set To True
- K8s - Ensure Workloads With Critical Vulnerabilities Exposed To External Traffic
- K8s - Ensure Workloads With Excessive Amount Of Vulnerabilities
- K8s - Ensure Workloads With Rce Vulnerabilities Exposed To External Traffic
- K8s - Ensure Workload With Administrative Roles
- K8s - Ensure Workload With Cluster Takeover Roles
- K8s - Ensure Workload With Credential Access
- K8s - Ensure Workload With Secret Access
- K8s - Ensure Writable Hostpath Mount