Aqua Vulnerability Database
Get Demo
Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance
> Kubernetes
Ensure that the --service-account-lookup argument is set to true
Ensure that the --service-account-private-key-file argument is set as appropriate
Ensure that the --streaming-connection-idle-timeout argument is not set to 0
Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
Ensure that the --token-auth-file parameter is not set
Ensure that the --use-service-account-credentials argument is set to true
Ensure that the admin.conf file ownership is set to root:root
Ensure that the admin.conf file permissions are set to 600
Ensure that the admission control plugin AlwaysAdmit is not set
Ensure that the admission control plugin AlwaysPullImages is set
Ensure that the admission control plugin EventRateLimit is set
Ensure that the admission control plugin NamespaceLifecycle is set
Ensure that the admission control plugin NodeRestriction is set
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Ensure that the admission control plugin ServiceAccount is set
Ensure that the API server pod specification file ownership is set to root:root
Ensure that the API server pod specification file permissions are set to 600 or more restrictive
Ensure that the audit policy covers key security concerns (Manual)
Ensure that the certificate authorities file permissions are set to 600 or more restrictive
Ensure that the client certificate authorities file ownership is set to root:root
Ensure that the cluster-admin role is only used where required
Ensure that the CNI in use supports Network Policies (Manual)
Ensure that the Container Network Interface file ownership is set to root:root
Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
Ensure that the controller manager pod specification file ownership is set to root:root
Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
Ensure that the controller-manager.conf file ownership is set to root:root
Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive
Ensure that the etcd data directory ownership is set to etcd:etcd
Ensure that the etcd data directory permissions are set to 700 or more restrictive
Ensure that the etcd pod specification file ownership is set to root:root
Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
Ensure that the kubelet service file ownership is set to root:root
Ensure that the kubelet service file permissions are set to 600 or more restrictive
Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive
Ensure that the Kubernetes PKI directory and file ownership is set to root:root
Ensure that the Kubernetes PKI key file permissions are set to 600
Ensure that the RotateKubeletServerCertificate argument is set to true
Ensure that the scheduler pod specification file ownership is set to root:root
Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
Ensure that the scheduler.conf file ownership is set to root:root
Ensure that the scheduler.conf file permissions are set to 600 or more restrictive
Ensure that the seccomp profile is set to docker/default in your pod definitions
Ensure unnecessary packages are not installed in the container (Manual)
Ensure update instructions are not use alone in the Dockerfile
Ensure verified packages are only Installed (Manual)
ensure-cloudwatch-integration
ensure-cloudwatch-integration
Host Namespaces
Host Namespaces
host ports
host ports
HostPath Volumes
HostPath Volumes
HostProcess
HostProcess
If proxy kubeconfig file exists ensure ownership is set to root:root
If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive
Immutable container file systems
Kubernetes Pod Security Standards Baseline 0.1
Kubernetes Pod Security Standards Restricted 0.1
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
limit-root-account-usage
limit-root-account-usage
limit-user-access-keys
Make sure -authorization-mode=RBAC
Make sure anonymous-auth is unset
Minimize access to secrets
Minimize the admission of containers which use HostPorts
Minimize the admission of containers wishing to share the host IPC namespace
Minimize the admission of containers wishing to share the host network namespace
Minimize the admission of containers wishing to share the host process ID namespace
Minimize the admission of containers with added capabilities
Minimize the admission of containers with allowPrivilegeEscalation
Minimize the admission of containers with capabilities assigned
Minimize the admission of containers with capabilities assigned
Minimize the admission of containers with the NET_RAW capability
Minimize the admission of HostPath volumes
Minimize the admission of privileged containers
Minimize the admission of root containers
Minimize wildcard use in Roles and ClusterRoles
Namespace kube-system should not be used by users
National Security Agency Kubernetes Hardening Guidance V1.0 1.0
no-password-reuse
no-password-reuse
no-policy-wildcards
no-public-ingress-sgr
no-public-log-access
no-public-log-access
no-root-access-keys
no-root-access-keys
no-user-attached-policies
no-user-attached-policies
Non-root containers
Pod and/or namespace Selectors usage
<< Prev
Next >>
Aqua Container Security