Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Kubernetes >

General

Allow Role Clusterrolebindings Associate Privileged Cluster Role
Cluster Admin0 Role Only Used Where Required"
Configmap_with_secrets
Configmap_with_sensitive
Containers Not Run As Root
Default Namespace Should Not Be Used
Deny Create Update Malicious Pod
Disable Anonymous Requests Kubelet Server.
Disable Timeouts Streaming Connections.
Do Not Allow Role Binding Associate Privileged Role
Drop Caps Add Bind Svc
Drop Default Capabilities
Eks Iam Configmap
Ensure Admin Config File Permissions Set 600 Or More Restrictive
Ensure Admin Config Ownership Set Root:root.
Ensure Admission Control Plugin Always Admit Is Not Set
Ensure Admission Control Plugin Always Pull Images Is Set
Ensure Admission Control Plugin Event Rate Limit Is Set
Ensure Admission Control Plugin Namespace Lifecycle Is Set
Ensure Admission Control Plugin Node Restriction Is Set
Ensure Admission Control Plugin Security Context Deny Is Set If Pod Security Policy Is Not Used
Ensure Admission Control Plugin Service Account Is Set
Ensure Anonymous Auth Argument Is False
Ensure Api Server Pod Specification File Permissions Set 600 Or More Restrictive
Ensure Api Server Pod Specification Ownership Set Root:root.
Ensure Audit Log Maxage Argument Is Set To 30 Or As Appropriate
Ensure Audit Log Maxbackup Argument Is Set To 10 Or As Appropriate
Ensure Audit Log Maxsize Argument Is Set To 100 Or As Appropriate
Ensure Audit Log Path Argument Is Set
Ensure Authorization Mode Argument Includes Node
Ensure Authorization Mode Argument Includes Rbac
Ensure Authorization Mode Argument Is Not Set To Alwaysallow
Ensure Authorization Mode Argument Set Alwaysallow
Ensure Auto Tls Argument Is Not Set To True
Ensure Cert File And Key File Arguments Are Set As Appropriate
Ensure Certificate Authorities File Permissions 600 Or More Restrictive.
Ensure Certificate_authorities Ownership Set Root:root
Ensure Client Ca Argument Set Appropriate
Ensure Client Ca File Argument Is Set As Appropriate
Ensure Client Cert Auth Argument Is Set To True
Ensure Container Network Interface File Permissions Set 600 Or More Restrictive
Ensure Container Network Interface Ownership Set Root:root.
Ensure Controller Manager Bind Address Is Loopback
Ensure Controller Manager Config File Permissions Set 600 Or More Restrictive
Ensure Controller Manager Config Ownership Set Root:root.
Ensure Controller Manager Pod Specification File Permissions Set 600 Or More Restrictive
Ensure Controller Manager Pod Specification Ownership Set Root:root.
Ensure Deny Service External Ips Is Not Set
Ensure Etcd Cafile Argument Is Set As Appropriate
Ensure Etcd Certfile And Etcd Keyfile Arguments Are Set As Appropriate
Ensure Etcd Data Directory Ownership Set Etcd:etcd.
Ensure Etcd Data Directory Permissions Set 700 Or More Restrictive
Ensure Etcd Pod Specification File Permissions Set 600 Or More Restrictive
Ensure Etcd Pod Specification Ownership Set Root:root.
Ensure Event Qps Argument Set 0 Or Level Forappropriate Event Capture
Ensure Hostname Override Argument Not Set
Ensure Kubeconfig Kubelet Config.yaml Ownership Set Root:root
Ensure Kubeconfig Kubelet.conf Ownership Set Root:root
Ensure Kubelet Certificate Authority Argument Is Set
Ensure Kubelet Client Certificate And Kubelet Client Key Are Set
Ensure Kubelet Config.yaml Permissions 600 Or More Restrictive.
Ensure Kubelet Https Argument Is Set To True
Ensure Kubelet Only Makes Use Strong Cryptographic Ciphers
Ensure Kubelet Service File Ownership Set Root:root.
Ensure Kubelet Service File Permissions Set 600 Or More Restrictive
Ensure Kubelet.conf File Permissions 600 Or More Restrictive.
Ensure Kubernetes Pki Cert File Permission Set 600.
Ensure Kubernetes Pki Directory File Ownership Set Root:root.
Ensure Kubernetes Pki Key File Permission Set 600.
Ensure Make Iptables Util Chains Argument Set True
Ensure Peer Auto Tls Argument Is Not Set To True
Ensure Peer Cert File And Peer Key File Arguments Are Set As Appropriate
Ensure Peer Client Cert Auth Argument Is Set To True
Ensure Profiling Argument Is Set To False
Ensure Profiling Argument Is Set To False
Ensure Profiling Argument Is Set To False
Ensure Protect Kernel Defaults Set True
Ensure Proxy Kubeconfig Ownership Set Root:root If Exist
Ensure Proxy Kubeconfig Permissions Set 600 Or More Restrictive If Exist
Ensure Root Ca File Argument Is Set As Appropriate
Ensure Rotate Certificates Argument Set False
Ensure Rotate Kubelet Server Certificate Argument Set True
Ensure Scheduler Bind Address Is Loopback
Ensure Scheduler Config File Permissions Set 600 Or More Restrictive
Ensure Scheduler Config Ownership Set Root:root.
Ensure Scheduler Pod Specification File Permissions Set 600 Or More Restrictive
Ensure Scheduler Pod Specification Ownership Set Root:root.
Ensure Secure Port Argument Is Not Set To 0
Ensure Service Account Key File Argument Is Set As Appropriate
Ensure Service Account Lookup Argument Is Set To True
Ensure Service Account Private Key File Argument Is Set As Appropriate
Ensure Terminated Pod Gc Threshold Argument Is Set As Appropriate
Ensure That The Encryption Provider Config Argument Is Set As Appropriate
Ensure That The Rotatekubeletservercertificate Argument Is Set To True
Ensure Tls Cert File And Tls Private Key File Arguments Are Set As Appropriate
Ensure Tls Cert File Argument Set Appropriate
Ensure Tls Key File Argument Set Appropriate
Ensure Token Auth File Parameter Is Not Set
Ensure Use Service Account Credentials Argument Is Set To True
Evaluate K8s Deprecated Removed Apis
Limit Cpu
Limit Memory
No Anonymous User Bind
No Attaching Shell Pods
No Auto Mount Service Token
No Custom Proc Mask
No Custom Selinux Options
No Default Security Context
No Delete Pod Logs
No Docker Sock Mount
No Getting Shell Pods
No Host Network
No Host Pid
No Host Port Access
No Hostprocess Containers
No Impersonate Privileged Groups
No K8s With Disallowed Volumes
No Manage Configmaps
No Manage Networking Resources
No Manage Ns Secrets
No Manage Rbac Resources
No Manage Secrets
No Manage Webhook
No Mounted Hostpath
No Net Raw
No Non Default Capabilities
No Non Ephemeral Volumes
No Privilege Escalation From Node Proxy
No Privilege Port Binding
No Privileged Containers
No Root
No Seccomp Unconfined
No Self Privesc
No Shared Ipc Namespace
No Sysadmin Capability
No Sysmodule Capability
No System Authenticated Group Bind
No Tiller
No Unsafe Sysctl
No Unspecified Cpu Requests
No Unspecified Memory Requests
No User Pods In System Namespace
No Wildcard Resource Clusterrole
No Wildcard Resource Role
No Wildcard Verb Resource Role
No Wildcard Verb Role
No_svc_with_extip
Primary Supplementary Gid
Selector Usage In Network Policies
Use Default Apparmor Profile
Use Default Seccomp
Use High Gid
Use High Uid
Use Readonly Filesystem
Use Specific Tags
Verify Read Only Port Argument Set 0
View All Secrets
<< Prev
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use