| Network Security |
json |
MEDIUM |
Containers Should Not Share the Host Network Namespace |
AC-K8-NS-PO-M-0164 |
| Network Security |
json |
MEDIUM |
Image without digest affects the integrity principle of image security |
AC-K8-NS-PO-M-0133 |
| Identity and Access Management |
json |
HIGH |
Minimize Admission of Root Containers |
AC-K8-IA-PO-H-0168 |
| Operational Efficiency |
json |
Medium |
CPU Request Not Set in config file. |
AC-K8-OE-PK-M-0155 |
| Operational Efficiency |
json |
MEDIUM |
Default Namespace Should Not be Used |
AC-K8-OE-PO-M-0166 |
| Network Security |
json |
HIGH |
Do Not Use CAP_SYS_ADMIN Linux Capability |
AC-K8-NS-PO-H-0170 |
| Operational Efficiency |
json |
Medium |
Memory Limits Not Set in config file. |
AC-K8-OE-PK-M-0158 |
| Data Security |
json |
MEDIUM |
Ensure That Tiller (Helm V2) Is Not Deployed |
AC-K8-DS-PO-M-0177 |
| Operational Efficiency |
json |
LOW |
No readiness probe will affect automatic recovery in case of unexpected errors |
AC-K8-OE-PO-L-0130 |
| Identity and Access Management |
json |
MEDIUM |
Default seccomp profile not enabled will make the container to make non-essential system calls |
AC-K8-IA-PO-M-0141 |
| Identity and Access Management |
json |
MEDIUM |
Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions |
AC-K8-IA-PO-M-0140 |
| Network Security |
json |
HIGH |
Prefer using secrets as files over secrets as environment variables |
AC-K8-NS-PO-H-0117 |
| Network Security |
json |
MEDIUM |
Containers Should Not Share Host IPC Namespace |
AC-K8-NS-PO-M-0163 |
| Network Security |
json |
MEDIUM |
Apply Security Context to Your Pods and Containers |
AC-K8-NS-PO-M-0122 |
| Data Security |
json |
MEDIUM |
Ensure Kubernetes Dashboard Is Not Deployed |
AC-K8-DS-PO-M-0176 |
| Identity and Access Management |
json |
HIGH |
Allowing hostPaths to mount to Pod arise the probability of getting access to the node’s filesystem |
AC-K8-IA-PO-H-0138 |
| Identity and Access Management |
json |
MEDIUM |
Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host |
AC-K8-IA-PO-M-0143 |
| Identity and Access Management |
json |
HIGH |
Allowing the pod to make system level calls provide access to host/node sensitive information |
AC-K8-IA-PO-H-0137 |
| Operational Efficiency |
json |
MEDIUM |
AlwaysPullImages plugin is not set |
AC-K8-OE-PK-M-0034 |
| Identity and Access Management |
json |
MEDIUM |
Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s |
AC-K8-IA-PO-M-0139 |
| Identity and Access Management |
json |
MEDIUM |
AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats |
AC-K8-IA-PO-M-0135 |
| Identity and Access Management |
json |
MEDIUM |
Containers Should Not Share Host Process ID Namespace |
AC-K8-IA-PO-M-0162 |
| Network Security |
json |
MEDIUM |
Containers Should Run as a High UID to Avoid Host Conflict |
AC-K8-NS-PO-M-0182 |
| Identity and Access Management |
json |
MEDIUM |
Minimize the admission of containers with the NET_RAW capability |
AC-K8-IA-PS-M-0112 |
| Operational Efficiency |
json |
LOW |
No liveness probe will ensure there is no recovery in case of unexpected errors |
AC-K8-OE-PO-L-0129 |
| Operational Efficiency |
json |
LOW |
No tag or container image with :Latest tag makes difficult to rollback and track |
AC-K8-OE-PO-L-0134 |
| Operational Efficiency |
json |
Medium |
Memory Request Not Set in config file. |
AC-K8-OE-PK-M-0157 |
| Cloud Assets Management |
json |
HIGH |
Containers Should Not Run with AllowPrivilegeEscalation |
AC-K8-CA-PO-H-0165 |
| Identity and Access Management |
json |
HIGH |
Minimize the admission of privileged containers |
AC-K8-IA-PO-H-0106 |
| Operational Efficiency |
json |
Medium |
CPU Limits Not Set in config file. |
AC-K8-OE-PK-M-0156 |
| Network Security |
json |
MEDIUM |
Restrict Mounting Docker Socket in a Container |
AC-K8-NS-PO-M-0171 |
| Identity and Access Management |
json |
MEDIUM |
Ensure that Service Account Tokens are only mounted where necessary |
AC-K8-IA-PO-M-0105 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.120 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.116 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.117 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.106 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.110 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.111 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.107 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.112 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.108 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.109 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.105 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.113 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.118 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.114 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.115 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Container does not have resource limitations defined |
accurics.kubernetes.IAM.119 |
| Data Security |
json |
MEDIUM |
Vulnerable to CVE-2020-8555 (affected version of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8,< v1.15.11 |
AC-K8-DS-PO-M-0143 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.64 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.72 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.68 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.69 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.65 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.58 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.62 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.63 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.59 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.60 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.61 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.57 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.70 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.66 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.67 |
| Encryption and Key Management |
kubernetes |
HIGH |
Container uses secrets in environment variables |
accurics.kubernetes.EKM.71 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.81 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.78 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.74 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.75 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.79 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.80 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.87 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.86 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.73 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.85 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.84 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.88 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.83 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.76 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.77 |
| Identity and Access Management |
kubernetes |
MEDIUM |
Pod has extra capabilities allowed |
accurics.kubernetes.IAM.82 |