github.com/datreeio/datree@v1.9.22-rc/pkg/defaultRules/howToFix.yaml (about) 1 rules: 2 - id: 1 3 title: Each container image should have a pinned version tag or image ID (aka image SHA) 4 uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_VERSION 5 ruleId: ensure-image-pinned-version 6 yamlExamples: 7 - spec: 8 containers: 9 - name: app 10 image: nginx:1.19.8 11 - spec: 12 containers: 13 - name: app 14 image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23 15 - id: 2 16 title: "" 17 uniqueName: CONTAINERS_MISSING_MEMORY_REQUEST_KEY 18 ruleId: ensure-memory-request 19 yamlExamples: 20 - spec: 21 containers: 22 - name: app 23 image: nginx:1.19.8 24 resources: 25 requests: 26 memory: "64Mi" 27 - id: 3 28 title: "" 29 uniqueName: CONTAINERS_MISSING_CPU_REQUEST_KEY 30 ruleId: ensure-cpu-request 31 yamlExamples: 32 - spec: 33 containers: 34 - name: app 35 image: nginx:1.19.8 36 resources: 37 requests: 38 cpu: "250m" 39 - id: 4 40 title: "" 41 uniqueName: CONTAINERS_MISSING_MEMORY_LIMIT_KEY 42 ruleId: ensure-memory-limit 43 yamlExamples: 44 - spec: 45 containers: 46 - name: app 47 image: nginx:1.19.8 48 resources: 49 limits: 50 memory: "128Mi" 51 - id: 5 52 title: "" 53 uniqueName: CONTAINERS_MISSING_CPU_LIMIT_KEY 54 ruleId: ensure-cpu-limit 55 yamlExamples: 56 - spec: 57 containers: 58 - name: app 59 image: nginx:1.19.8 60 resources: 61 limits: 62 cpu: "500m" 63 - id: 6 64 title: "" 65 uniqueName: INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE 66 ruleId: prevent-ingress-forwarding-traffic-to-single-container 67 yamlExamples: 68 - kind: Ingress 69 spec: 70 rules: 71 - host: "*.example.com" 72 http: 73 - path: /foo 74 - id: 7 75 title: Use a different service `type` other than _NodePort_ 76 uniqueName: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT 77 ruleId: prevent-node-port 78 yamlExamples: [] 79 - id: 8 80 title: Specify a valid cron expression 81 uniqueName: CRONJOB_INVALID_SCHEDULE_VALUE 82 ruleId: ensure-cronjob-scheduler-valid 83 yamlExamples: 84 - kind: CronJob 85 spec: 86 schedule: "*/1 * * * *" 87 - id: 9 88 title: Use valid values only (see links below for valid syntax) 89 uniqueName: WORKLOAD_INVALID_LABELS_VALUE 90 ruleId: ensure-labels-value-valid 91 yamlExamples: 92 - metadata: 93 labels: 94 on-call: yoda-at-datree.io 95 - id: 10 96 title: >- 97 Set `restartPolicy` to _Always_ or don't include the `restartPolicy` key 98 at all 99 uniqueName: WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS 100 ruleId: ensure-valid-restart-policy 101 yamlExamples: 102 - spec: 103 template: 104 spec: 105 restartPolicy: Always 106 - id: 11 107 title: >- 108 Configure a liveness probe with an HTTP request, TCP protocol or exec 109 command (the least recommended option) 110 uniqueName: CONTAINERS_MISSING_LIVENESSPROBE_KEY 111 ruleId: ensure-liveness-probe 112 yamlExamples: 113 - spec: 114 containers: 115 - name: app 116 image: nginx:1.19.8 117 livenessProbe: 118 httpGet: 119 path: /healthz 120 port: 8080 121 - spec: 122 containers: 123 - name: app 124 image: nginx:1.19.8 125 livenessProbe: 126 tcpSocket: 127 port: 8080 128 - spec: 129 containers: 130 - name: app 131 image: nginx:1.19.8 132 livenessProbe: 133 exec: 134 command: 135 - cat 136 - /tmp/healthy 137 - id: 12 138 title: >- 139 Configure a readiness probe with an HTTP request, TCP protocol or exec 140 command (the least recommended option) 141 uniqueName: CONTAINERS_MISSING_READINESSPROBE_KEY 142 ruleId: ensure-readiness-probe 143 yamlExamples: 144 - spec: 145 containers: 146 - name: app 147 image: nginx:1.19.8 148 readinessProbe: 149 httpGet: 150 path: /healthz 151 port: 8080 152 - spec: 153 containers: 154 - name: app 155 image: nginx:1.19.8 156 readinessProbe: 157 tcpSocket: 158 port: 8080 159 - spec: 160 containers: 161 - name: app 162 image: nginx:1.19.8 163 readinessProbe: 164 exec: 165 command: 166 - cat 167 - /tmp/healthy 168 - id: 13 169 title: "" 170 uniqueName: HPA_MISSING_MINREPLICAS_KEY 171 ruleId: ensure-hpa-minimum-replicas 172 yamlExamples: 173 - kind: HorizontalPodAutoscaler 174 spec: 175 minReplicas: 1 176 maxReplicas: 10 177 - id: 14 178 title: "" 179 uniqueName: HPA_MISSING_MAXREPLICAS_KEY 180 ruleId: ensure-hpa-maximum-replicas 181 yamlExamples: 182 - kind: HorizontalPodAutoscaler 183 spec: 184 minReplicas: 1 185 maxReplicas: 10 186 - id: 15 187 title: "" 188 uniqueName: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT 189 ruleId: prevent-deafult-namespce 190 yamlExamples: 191 - metadata: 192 namespace: test 193 - id: 16 194 title: Set numbers of `replicas` to be greater than 1 195 uniqueName: DEPLOYMENT_INCORRECT_REPLICAS_VALUE 196 ruleId: ensure-minimum-two-replicas 197 yamlExamples: 198 - kind: Deployment 199 spec: 200 replicas: 2 201 - id: 17 202 title: "" 203 uniqueName: CRONJOB_MISSING_STARTINGDEADLINESECOND_KEY 204 ruleId: ensure-cronjob-deadline 205 yamlExamples: 206 - kind: CronJob 207 spec: 208 schedule: "*/1 * * * *" 209 startingDeadlineSeconds: 100 210 - id: 18 211 title: >- 212 Use a supported API version instead of the deprecated one: 213 214 215 | Deprecated API version | Supported API version | 216 217 |-------------|---------------| 218 219 | `apiextensions.k8s.io/v1beta1` | `apiextensions.k8s.io/v1` | 220 221 | `admissionregistration.k8s.io/v1beta1` | `admissionregistration.k8s.io/v1` | 222 223 224 **Example**: 225 226 uniqueName: K8S_DEPRECATED_APIVERSION_1.16 227 ruleId: prevent-deprecated-k8s-api-116 228 yamlExamples: 229 - apiVersion: apiextensions.k8s.io/v1 230 kind: CustomResourceDefinition 231 - id: 19 232 title: Use _v1_ instead of the deprecated version 233 uniqueName: K8S_DEPRECATED_APIVERSION_1.17 234 ruleId: prevent-deprecated-k8s-api-117 235 yamlExamples: 236 - apiVersion: rbac.authorization.k8s.io/v1 237 kind: ClusterRoleBinding 238 - id: 20 239 title: Set `privileged` to _false_ or remove this property completely 240 uniqueName: CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE 241 ruleId: prevent-privileged-containers 242 yamlExamples: 243 - spec: 244 containers: 245 - name: app 246 image: nginx:1.19.8 247 securityContext: 248 privileged: false 249 - id: 21 250 title: "" 251 uniqueName: WORKLOAD_MISSING_LABEL_OWNER_VALUE 252 ruleId: ensure-owner-label 253 yamlExamples: 254 - metadata: 255 labels: 256 env: prod 257 owner: yoda-at-datree.io 258 - id: 22 259 title: "" 260 uniqueName: DEPLOYMENT_MISSING_LABEL_ENV_VALUE 261 ruleId: ensure-env-label 262 yamlExamples: 263 - kind: Deployment 264 metadata: 265 labels: 266 env: prod 267 owner: yoda-at-datree.io 268 - id: 23 269 title: Each container image should have an image ID (aka image SHA) 270 uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST 271 ruleId: ensure-digest-tag 272 yamlExamples: 273 - spec: 274 containers: 275 - name: app 276 image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23 277 - id: 24 278 title: Set `concurrencyPolicy` to either _Forbid_ or _Replace_ 279 uniqueName: CRONJOB_MISSING_CONCURRENCYPOLICY_KEY 280 ruleId: prevent-cronjob-concurrency 281 yamlExamples: 282 - kind: CronJob 283 spec: 284 concurrencyPolicy: Forbid 285 - kind: CronJob 286 spec: 287 concurrencyPolicy: Replace 288 - id: 25 289 title: Deploy pods using higher-level resources 290 uniqueName: K8S_INCORRECT_KIND_VALUE_POD 291 ruleId: prevent-naked-pods 292 yamlExamples: 293 - apiVersion: apps/v1 294 kind: Deployment 295 - id: 26 296 title: Set the `hostPID` to _false_ or remove it completely 297 uniqueName: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE 298 ruleId: prevent-using-host-pid 299 yamlExamples: 300 - spec: 301 hostPID: false 302 - id: 27 303 title: Set the `hostIPC` to _false_ or remove it completely 304 uniqueName: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE 305 ruleId: prevent-using-host-ipc 306 yamlExamples: 307 - spec: 308 hostIPC: false 309 - id: 28 310 title: Set the `hostNetwork` to _false_ or remove it completely 311 uniqueName: CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE 312 ruleId: prevent-using-host-network 313 yamlExamples: 314 - spec: 315 hostNetwork: false 316 - id: 29 317 title: Set `runAsUser` to a number bigger than 9999 318 uniqueName: CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID 319 ruleId: prevent-uid-conflicts 320 yamlExamples: 321 - spec: 322 containers: 323 - name: app 324 image: nginx:1.19.8 325 securityContext: 326 runAsUser: 25000 327 - id: 30 328 title: Avoid mounting the Docker socket 329 uniqueName: CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET 330 ruleId: prevent-mounting-docker-socket 331 yamlExamples: 332 - spec: 333 containers: 334 - name: app 335 image: nginx:1.19.8 336 - id: 31 337 title: "" 338 uniqueName: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE 339 ruleId: prevent-configmap-security-vulnerability-cve-2021-25742 340 yamlExamples: 341 - kind: ConfigMap 342 metadata: 343 namespace: nginx-ingress 344 data: 345 allow-snippet-annotations: "false" 346 - id: 32 347 title: Refrain from using this vulnerable annotation. 348 uniqueName: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY 349 ruleId: prevent-ingress-security-vulnerability-cve-2021-25742 350 yamlExamples: 351 - kind: Ingress 352 metadata: 353 annotations: 354 nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 355 - id: 33 356 title: >- 357 CVE-2021-25741 was fixed in the following Kubernetes versions: 358 359 360 - v1.22.2 361 362 - v1.21.5 363 364 - v1.20.11 365 366 - v1.19.15 367 368 369 To mitigate this vulnerability without upgrading kubelet, you can disable 370 the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove 371 any existing pods making use of the feature. 372 uniqueName: CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY 373 ruleId: prevent-container-security-vulnerability-cve-2021-25741 374 yamlExamples: 375 - spec: 376 containers: 377 volumeMounts: 378 - mountPath: /var/lib/mysql 379 name: site-data 380 - id: 34 381 title: "Use endpoint addresses that are not in the vulnerable ranges (**127.0.0.0/8**\_and\_**169.254.0.0/16**)." 382 uniqueName: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE 383 ruleId: >- 384 prevent-endpointslice-validation-from-enabling-host-network-hijack-cve-2021-25737 385 yamlExamples: 386 - kind: EndpointSlice 387 endpoints: 388 - addresses: 389 - "172.23.47.4" 390 - id: 35 391 title: "" 392 uniqueName: ARGO_WORKFLOW_INCORRECT_FAILFAST_VALUE_FALSE 393 ruleId: ensure-workflow-dag-fail-fast-on-node-failure 394 yamlExamples: [] 395 - id: 36 396 title: "Set the `serviceAccountName` key and give it a value:" 397 uniqueName: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT 398 ruleId: prevent-workflow-pods-from-using-the-default-service-account 399 yamlExamples: 400 - kind: Workflow 401 spec: 402 serviceAccountName: mySrvAcc 403 - id: 37 404 title: "Set the `app.kubernetes.io/part-of` key with a value of '_argocd'_:" 405 uniqueName: ARGO_CONFIGMAP_MISSING_PART_OF_LABEL_VALUE_ARGOCD 406 ruleId: ensure-configmap-is-recognized-by-argocd 407 yamlExamples: 408 - kind: ConfigMap 409 metadata: 410 labels: 411 app.kubernetes.io/part-of: argocd 412 - id: 38 413 title: "Set the `duration` key and give it a value:" 414 uniqueName: ARGO_ROLLOUT_MISSING_PAUSE_DURATION 415 ruleId: ensure-rollout-pause-step-has-a-configured-duration 416 yamlExamples: 417 - kind: Rollout 418 spec: 419 strategy: 420 canary: 421 steps: 422 - pause: 423 duration: 1h # 1 hour 424 - id: 39 425 title: "Set the `namespace` key with a value of '_argocd_':" 426 uniqueName: ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE 427 ruleId: ensure-application-and-appproject-are-part-of-the-argocd-namespace 428 yamlExamples: 429 - kind: Application 430 metadata: 431 namespace: argocd 432 - id: 40 433 title: "Set the `retryStrategy` key with a non-empty value or don't set it at all:" 434 uniqueName: ARGO_WORKFLOW_INCORRECT_RETRY_STRATEGY_VALUE_EMPTY 435 ruleId: prevent-workflow-from-having-an-empty-retry-strategy 436 yamlExamples: 437 - kind: Workflow 438 spec: 439 templates: 440 - retryStrategy: 441 limit: 10 442 - id: 41 443 title: "Set the `revisionHistoryLimit` key with a non-zero value:" 444 uniqueName: ARGO_WORKFLOW_INCORRECT_REVISION_HISTORY_LIMIT_VALUE_0 445 ruleId: ensure-rollout-has-revision-history-set 446 yamlExamples: 447 - kind: Rollout 448 spec: 449 revisionHistoryLimit: 3 450 - id: 42 451 title: "Set the `scaleDownDelaySeconds` key with value of at least 30:" 452 uniqueName: ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30 453 ruleId: ensure-rollout-allows-broadcasting-ip-table-changes 454 yamlExamples: 455 - kind: Rollout 456 spec: 457 strategy: 458 blueGreen: 459 scaleDownDelaySeconds: 30 460 - id: 43 461 title: "Set the `progressDeadlineAbort` key with value of '_true_':" 462 uniqueName: ARGO_ROLLOUT_INCORRECT_PROGRESS_DEADLINE_ABORT_VALUE_FALSE 463 ruleId: ensure-rollout-that-is-marked-as-degraded-scales-down-replicaset 464 yamlExamples: 465 - kind: Rollout 466 spec: 467 progressDeadlineSeconds: 700 468 progressDeadlineAbort: true 469 - id: 44 470 title: >- 471 When using a `retryPolicy` of `Always`, set the `expression` key with the 472 following value: 473 uniqueName: ARGO_WORKFLOW_ENSURE_RETRY_ON_BOTH_ERROR_AND_TRANSIENT_ERROR 474 ruleId: ensure-workflow-retry-policy-catches-relevant-errors-only 475 yamlExamples: 476 - kind: Workflow 477 spec: 478 templates: 479 - retryStrategy: 480 retryPolicy: "Always" 481 expression: 'lastRetry.status == "Error" or (lastRetry.status == "Failed" and asInt(lastRetry.exitCode) not in [0])' 482 - id: 45 483 title: >- 484 Set the `readOnlyRootFilesystem` key with a value of _true_ either at 485 **pod** level or **container** level: 486 uniqueName: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE 487 ruleId: ensure-read-only-filesystem 488 yamlExamples: 489 - kind: Pod 490 spec: 491 securityContext: 492 readOnlyRootFilesystem: true 493 - kind: Deployment 494 spec: 495 containers: 496 - name: myContainer 497 securityContext: 498 readOnlyRootFilesystem: true 499 - id: 46 500 title: Refrain from using the `hostPath` mount 501 uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPATH 502 ruleId: prevent-accessing-underlying-host 503 yamlExamples: 504 - spec: 505 volumes: 506 - name: myVolume 507 - id: 47 508 title: "Set the `allowPrivilegeEscalation` key to _false_:" 509 uniqueName: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION 510 ruleId: prevent-escalating-privileges 511 yamlExamples: 512 - kind: Deployment 513 spec: 514 template: 515 spec: 516 containers: 517 - name: myContainer 518 securityContext: 519 allowPrivilegeEscalation: false 520 - id: 48 521 title: >- 522 Refrain from setting these privilieges in your `Role` and `ClusterRole` 523 resources. 524 uniqueName: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE 525 ruleId: prevent-allowing-command-execution 526 yamlExamples: 527 - kind: Role 528 rules: 529 - verbs: ["get"] 530 - id: 49 531 title: Refrain from setting any unnecessary insecure capabilities. 532 uniqueName: CONTAINERS_INVALID_CAPABILITIES_VALUE 533 ruleId: prevent-insecure-capabilities 534 yamlExamples: 535 - kind: Pod 536 spec: 537 containers: 538 - securityContext: 539 capabilities: 540 add: ["SYS_TIME"] 541 - id: 50 542 title: >- 543 Refrain from using the `hostPort` key (use `NodePort` or `ClusterIP` 544 instead). 545 uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPORT 546 ruleId: prevent-insecurely-exposing-workload 547 yamlExamples: 548 - kind: Service 549 spec: 550 type: NodePort 551 - id: 51 552 title: "Set runAsGroup to a value higher than _999_:" 553 uniqueName: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID 554 ruleId: prevent-accessing-host-files-by-using-high-gids 555 yamlExamples: 556 - kind: Pod 557 spec: 558 securityContext: 559 runAsGroup: 4000 560 - kind: Deployment 561 spec: 562 containers: 563 - name: myContainer 564 securityContext: 565 runAsGroup: 4000 566 - id: 52 567 title: "Set `runAsNonRoot` to `true`:" 568 uniqueName: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE 569 ruleId: prevent-running-with-root-privileges 570 yamlExamples: 571 - kind: Pod 572 spec: 573 securityContext: 574 runAsNonRoot: true 575 - kind: Deployment 576 spec: 577 containers: 578 - name: myContainer 579 securityContext: 580 runAsNonRoot: true 581 - id: 53 582 title: >- 583 Set `automountServiceAccountToken` to _false_ either at the 584 `ServiceAccount` level or at the individual `Pod` level (`Pod` level takes 585 precedence): 586 uniqueName: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE 587 ruleId: prevent-service-account-token-auto-mount 588 yamlExamples: 589 - kind: ServiceAccount 590 automountServiceAccountToken: false 591 - kind: Pod 592 spec: 593 automountServiceAccountToken: false 594 containers: 595 - name: myContainer 596 - id: 54 597 title: Set either `name` or `generateName` and give it a value 598 uniqueName: RESOURCE_MISSING_NAME 599 ruleId: ensure-resource-name 600 yamlExamples: 601 - apiVersion: networking.k8s.io/v1beta1 602 kind: Ingress 603 metadata: 604 name: "myGreatIngress" 605 namespace: "myGreatNamespace" 606 - id: 55 607 title: >- 608 Each container probe should have a configured `initialDelaySeconds` 609 property with a minimum value of 0 610 uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE 611 ruleId: ensure-initial-probe-delay 612 yamlExamples: 613 - spec: 614 containers: 615 - name: myContainer 616 readinessProbe: 617 initialDelaySeconds: 0 618 - id: 56 619 title: >- 620 Each container probe should have a configured `periodSeconds` property 621 with a minimum value of 1 622 uniqueName: CONTAINERS_INCORRECT_PERIODSECONDS_VALUE 623 ruleId: ensure-probe-frequency 624 yamlExamples: 625 - spec: 626 containers: 627 - name: myContainer 628 readinessProbe: 629 periodSeconds: 2 630 - id: 57 631 title: >- 632 Each container probe should have a configured `timeoutSeconds` property 633 with a minimum value of 1 634 uniqueName: CONTAINERS_INCORRECT_TIMEOUTSECONDS_VALUE 635 ruleId: ensure-probe-timeout 636 yamlExamples: 637 - spec: 638 containers: 639 - name: myContainer 640 readinessProbe: 641 timeoutSeconds: 2 642 - id: 58 643 title: >- 644 Each container probe should have a configured `successThreshold` property 645 with a valid value (see above for limitations) 646 uniqueName: CONTAINERS_INCORRECT_SUCCESSTHRESHOLD_VALUE 647 ruleId: ensure-probe-min-success-threshold 648 yamlExamples: 649 - spec: 650 containers: 651 - name: myContainer 652 readinessProbe: 653 successThreshold: 2 654 - spec: 655 containers: 656 - name: myContainer 657 livenessProbe: 658 successThreshold: 1 659 - spec: 660 containers: 661 - name: myContainer 662 startupProbe: 663 successThreshold: 1 664 - id: 59 665 title: >- 666 Each container probe should have a configured `failureThreshold` property 667 with a minimum value of 1 668 uniqueName: CONTAINERS_INCORRECT_FAILURETHRESHOLD_VALUE 669 ruleId: ensure-probe-failure-threshold 670 yamlExamples: 671 - spec: 672 containers: 673 - name: myContainer 674 readinessProbe: 675 failureThreshold: 3 676 - id: 60 677 title: "" 678 uniqueName: CONTAINERS_MISSING_PRESTOP_KEY 679 ruleId: ensure-prestop 680 yamlExamples: 681 - spec: 682 containers: 683 - name: myNginxApp 684 lifecycle: 685 preStop: 686 exec: 687 command: [ 688 # Gracefully shutdown nginx 689 "/usr/sbin/nginx", 690 "-s", 691 "quit", 692 ] 693 - id: 61 694 title: "Set the `seccompProfile` type to `Localhost` or `RuntimeDefault`:" 695 uniqueName: CONTAINERS_INCORRECT_SECCOMP_PROFILE 696 ruleId: prevent-system-call-privileges 697 yamlExamples: 698 - spec: 699 securityContext: 700 seccompProfile: 701 type: RuntimeDefault 702 - id: 62 703 title: >- 704 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 705 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 706 uniqueName: ALL_EXPOSED_SECRET_BITBUCKET 707 ruleId: prevent-exposed-secrets-bitbucket 708 yamlExamples: [] 709 - id: 63 710 title: >- 711 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 712 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 713 uniqueName: ALL_EXPOSED_SECRET_DATADOG 714 ruleId: prevent-exposed-secrets-datadog 715 yamlExamples: [] 716 - id: 64 717 title: >- 718 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 719 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 720 uniqueName: ALL_EXPOSED_SECRET_GCP 721 ruleId: prevent-exposed-secrets-gcp 722 yamlExamples: [] 723 - id: 65 724 title: >- 725 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 726 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 727 uniqueName: ALL_EXPOSED_SECRET_AWS 728 ruleId: prevent-exposed-secrets-aws 729 yamlExamples: [] 730 - id: 66 731 title: >- 732 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 733 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 734 uniqueName: ALL_EXPOSED_SECRET_GITHUB 735 ruleId: prevent-exposed-secrets-github 736 yamlExamples: [] 737 - id: 67 738 title: >- 739 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 740 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 741 uniqueName: ALL_EXPOSED_SECRET_GITLAB 742 ruleId: prevent-exposed-secrets-gitlab 743 yamlExamples: [] 744 - id: 68 745 title: >- 746 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 747 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 748 uniqueName: ALL_EXPOSED_SECRET_TERRAFORM 749 ruleId: prevent-exposed-secrets-terraform 750 yamlExamples: [] 751 - id: 69 752 title: >- 753 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 754 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 755 uniqueName: ALL_EXPOSED_SECRET_HEROKU 756 ruleId: prevent-exposed-secrets-heroku 757 yamlExamples: [] 758 - id: 70 759 title: >- 760 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 761 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 762 uniqueName: ALL_EXPOSED_SECRET_JWT 763 ruleId: prevent-exposed-secrets-jwt 764 yamlExamples: [] 765 - id: 71 766 title: >- 767 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 768 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 769 uniqueName: ALL_EXPOSED_SECRET_LAUNCHDARKLY 770 ruleId: prevent-exposed-secrets-launchdarkly 771 yamlExamples: [] 772 - id: 72 773 title: >- 774 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 775 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 776 uniqueName: ALL_EXPOSED_SECRET_NEWRELIC 777 ruleId: prevent-exposed-secrets-newrelic 778 yamlExamples: [] 779 - id: 73 780 title: >- 781 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 782 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 783 uniqueName: ALL_EXPOSED_SECRET_NPM 784 ruleId: prevent-exposed-secrets-npm 785 yamlExamples: [] 786 - id: 74 787 title: >- 788 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 789 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 790 uniqueName: ALL_EXPOSED_SECRET_OKTA 791 ruleId: prevent-exposed-secrets-okta 792 yamlExamples: [] 793 - id: 75 794 title: >- 795 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 796 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 797 uniqueName: ALL_EXPOSED_SECRET_STRIPE 798 ruleId: prevent-exposed-secrets-stripe 799 yamlExamples: [] 800 - id: 76 801 title: >- 802 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 803 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 804 uniqueName: ALL_EXPOSED_SECRET_SUMOLOGIC 805 ruleId: prevent-exposed-secrets-sumologic 806 yamlExamples: [] 807 - id: 77 808 title: >- 809 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 810 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 811 uniqueName: ALL_EXPOSED_SECRET_TWILIO 812 ruleId: prevent-exposed-secrets-twilio 813 yamlExamples: [] 814 - id: 78 815 title: >- 816 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 817 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 818 uniqueName: ALL_EXPOSED_SECRET_VAULT 819 ruleId: prevent-exposed-secrets-vault 820 yamlExamples: [] 821 - id: 79 822 title: >- 823 Do not put sensitive data in any config. Kubernetes offers the handy [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret) object to handle this. 824 If you do not wish to use Secrets, take a look at these [available alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets). 825 uniqueName: ALL_EXPOSED_SECRET_PRIVATEKEY 826 ruleId: prevent-exposed-secrets-privatekey 827 yamlExamples: [] 828 - id: 80 829 title: "Do not configure a CPU limit:" 830 uniqueName: EKS_INVALID_CPU_LIMIT 831 ruleId: ensure-no-cpu-limit 832 yamlExamples: 833 - resources: 834 requests: 835 cpu: "128Mi" 836 - id: 81 837 title: "" 838 uniqueName: EKS_INVALID_MEMORY_REQUEST_LIMIT 839 ruleId: ensure-memory-request-limit-equal 840 yamlExamples: 841 - resources: 842 requests: 843 memory: "128Mi" 844 limits: 845 memory: "128Mi" 846 - id: 82 847 title: "" 848 uniqueName: EKS_INVALID_CAPABILITIES_EKS 849 ruleId: ensure-containers-limited-capabilities 850 yamlExamples: 851 - securityContext: 852 capabilities: 853 add: 854 - AUDIT_WRITE 855 - id: 83 856 title: "" 857 uniqueName: EKS_MISSING_KEY_TOPOLOGYKEY 858 ruleId: ensure-replicas-different-nodes 859 yamlExamples: 860 - podAntiAffinity: 861 preferredDuringSchedulingIgnoredDuringExecution: 862 - podAffinityTerm: 863 labelSelector: 864 matchExpressions: 865 - key: app 866 operator: In 867 values: 868 - web-server 869 topologyKey: topology.kubernetes.io/zone 870 - id: 84 871 title: "" 872 uniqueName: EKS_INVALID_VALUE_DONOOTSCHEDULE 873 ruleId: prevent-pods-becoming-unschedulable 874 yamlExamples: 875 - spec: 876 topologySpreadConstraints: 877 - maxSkew: 1 878 topologyKey: zone 879 whenUnsatisfiable: ScheduleAnyway 880 labelSelector: 881 matchLabels: 882 app: foo 883 - id: 85 884 title: "" 885 uniqueName: EKS_INVALID_HOSTPROCESS_VALUE 886 ruleId: prevent-windows-containers-unnecessary-privileges 887 yamlExamples: 888 - spec: 889 securityContext: 890 windowsOptions: 891 runAsUserName: "ContainerUser" 892 - id: 86 893 title: "" 894 uniqueName: EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE 895 ruleId: prevent-selinux-containers-unnecessary-privileges 896 yamlExamples: 897 - spec: 898 containers: 899 - securityContext: 900 seLinuxOptions: 901 type: container_kvm_t 902 - id: 87 903 title: "" 904 uniqueName: EKS_INVALID_SELINUXOPTIONS_USER_VALUE 905 ruleId: prevent-selinux-containers-user 906 yamlExamples: 907 - spec: 908 containers: 909 - securityContext: 910 seLinuxOptions: 911 type: container_kvm_t 912 - id: 88 913 title: "" 914 uniqueName: EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE 915 ruleId: prevent-selinux-containers-role 916 yamlExamples: 917 - spec: 918 containers: 919 - securityContext: 920 seLinuxOptions: 921 type: container_kvm_t 922 - id: 89 923 title: "" 924 uniqueName: EKS_INVALID_HOSTPATH_MOUNT_READONLY_VALUE 925 ruleId: ensure-hostpath-mounts-readonly 926 yamlExamples: 927 - spec: 928 volumes: 929 - name: mount-this 930 hostPath: 931 path: /cache 932 type: Directory 933 containers: 934 - volumeMounts: 935 - mountPath: /cache 936 name: mount-this 937 readOnly: true 938 - id: 90 939 title: "" 940 uniqueName: K8S_DEPRECATED_APIVERSION_1.19 941 ruleId: prevent-deprecated-api-119 942 yamlExamples: 943 - apiVersion: rbac.authorization.k8s.io/v1 944 kind: ClusterRole 945 - id: 91 946 title: "" 947 uniqueName: K8S_DEPRECATED_APIVERSION_1.21 948 ruleId: prevent-deprecated-api-121 949 yamlExamples: 950 - apiVersion: batch/v1 951 kind: CronJob 952 - id: 92 953 title: "" 954 uniqueName: K8S_DEPRECATED_APIVERSION_1.22 955 ruleId: prevent-deprecated-api-122 956 yamlExamples: 957 - apiVersion: autoscaling/v2 958 kind: HorizontalPodAutoscaler 959 - id: 93 960 title: "" 961 uniqueName: K8S_DEPRECATED_APIVERSION_1.23 962 ruleId: prevent-deprecated-api-123 963 yamlExamples: 964 - apiVersion: autoscaling/v2 965 kind: HorizontalPodAutoscaler 966 - id: 94 967 title: "" 968 uniqueName: K8S_DEPRECATED_APIVERSION_1.24 969 ruleId: prevent-deprecated-api-124 970 yamlExamples: 971 - apiVersion: storage.k8s.io/v1 972 kind: CSIStorageCapacity 973 - id: 95 974 title: "Use a more restrictive role:" 975 uniqueName: CIS_INVALID_ROLE_CLUSTER_ADMIN 976 ruleId: prevent-cluster-admin-role 977 yamlExamples: 978 - apiVersion: rbac.authorization.k8s.io/v1 979 kind: RoleBinding 980 roleRef: 981 kind: Role 982 name: role:viewer 983 - id: 96 984 title: "Remove `get`, `list`, or `watch` permissions from the `secrets` resource." 985 uniqueName: CIS_INVALID_VERB_SECRETS 986 ruleId: prevent-access-to-secrets 987 yamlExamples: [] 988 - id: 97 989 title: "Explicitly define your desired `resources`/`verbs`:" 990 uniqueName: CIS_INVALID_WILDCARD_ROLE 991 ruleId: prevent-wildcards-role-clusterrole 992 yamlExamples: 993 - apiVersion: rbac.authorization.k8s.io/v1 994 kind: Role 995 rules: 996 - resources: ["pods"] 997 verbs: ["get", "watch", "list"] 998 - id: 98 999 title: "Mount secrets as files instead:" 1000 uniqueName: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF 1001 ruleId: prevent-secrets-as-env-variables 1002 yamlExamples: 1003 - apiVersion: v1 1004 kind: Pod 1005 spec: 1006 volumes: 1007 - name: secret-volume 1008 secret: 1009 secretName: ssh-key-secret 1010 containers: 1011 - name: ssh-test-container 1012 image: mySshImage 1013 volumeMounts: 1014 - name: secret-volume 1015 readOnly: true 1016 mountPath: "/etc/secret-volume" 1017 - id: 99 1018 title: >- 1019 Pods should have a seccomp profile set to `docker/default` or 1020 `runtime/default`: 1021 uniqueName: CIS_INVALID_VALUE_SECCOMP_PROFILE 1022 ruleId: ensure-seccomp-profile-default 1023 yamlExamples: 1024 - apiVersion: v1 1025 kind: Pod 1026 metadata: 1027 name: my-pod 1028 annotations: 1029 seccomp.security.alpha.kubernetes.io/pod: docker/default 1030 - id: 100 1031 title: "Define a security context for your pod or container:" 1032 uniqueName: CIS_MISSING_KEY_SECURITYCONTEXT 1033 ruleId: ensure-containers-pods-security-context 1034 yamlExamples: 1035 - apiVersion: v1 1036 kind: Pod 1037 spec: 1038 containers: 1039 - securityContext: 1040 capabilities: 1041 add: ["SYS_TIME"] 1042 - id: 101 1043 title: "Do not allow `create` access to pods:" 1044 uniqueName: CIS_INVALID_VALUE_CREATE_POD 1045 ruleId: prevent-access-create-pods 1046 yamlExamples: 1047 - apiVersion: rbac.authorization.k8s.io/v1 1048 kind: Role 1049 rules: 1050 - resources: ["pods"] 1051 verbs: ["get", "watch", "list"] 1052 - id: 102 1053 title: "Add the `automountServiceAccountToken` key and set it to `false`:" 1054 uniqueName: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN 1055 ruleId: ensure-default-service-account-not-used 1056 yamlExamples: 1057 - apiVersion: v1 1058 kind: ServiceAccount 1059 metadata: 1060 name: default 1061 namespace: default 1062 automountServiceAccountToken: false 1063 - id: 103 1064 title: "Drop the `NET_RAW` capability from the container:" 1065 uniqueName: CIS_MISSING_VALUE_DROP_NET_RAW 1066 ruleId: prevent-containers-net-raw-capability 1067 yamlExamples: 1068 - apiVersion: v1 1069 kind: Pod 1070 spec: 1071 containers: 1072 - name: my-pod 1073 image: gcr.io/google-samples/node-hello:1.0 1074 securityContext: 1075 capabilities: 1076 drop: ["NET_RAW"] 1077 - id: 104 1078 title: "Use a different group:" 1079 uniqueName: CIS_INVALID_VALUE_SYSTEM_MASTERS 1080 ruleId: prevent-system-masters-group 1081 yamlExamples: 1082 - apiVersion: rbac.authorization.k8s.io/v1 1083 kind: RoleBinding 1084 metadata: 1085 name: do-all 1086 namespace: default 1087 subjects: 1088 - kind: User 1089 name: jane 1090 apiGroup: rbac.authorization.k8s.io 1091 - id: 105 1092 title: "Remove the aforementioned permissions:" 1093 uniqueName: CIS_INVALID_VALUE_BIND_IMPERSONATE_ESCALATE 1094 ruleId: prevent-role-privilege-escalation 1095 yamlExamples: 1096 - apiVersion: rbac.authorization.k8s.io/v1 1097 kind: Role 1098 rules: 1099 - apiGroups: [""] 1100 resources: ["pods"] 1101 verbs: ["get", "watch", "list"] 1102 - id: 106 1103 title: >- 1104 Use a supported API version instead of the removed one: 1105 1106 1107 | Removed API version | Supported API version | 1108 1109 |-------------|---------------| 1110 1111 | `admissionregistration.k8s.io/v1beta1` | `admissionregistration.k8s.io/v1` | 1112 1113 | `apiextensions.k8s.io/v1beta1` | `apiextensions.k8s.io/v1` | 1114 1115 | `apiregistration.k8s.io/v1beta1` | `apiregistration.k8s.io/v1` | 1116 1117 | `authentication.k8s.io/v1beta1` | `authentication.k8s.io/v1` | 1118 1119 | `authorization.k8s.io/v1beta1` | `authorization.k8s.io/v1` | 1120 1121 | `certificates.k8s.io/v1beta1` | `certificates.k8s.io/v1` | 1122 1123 | `coordination.k8s.io/v1beta1` | `coordination.k8s.io/v1` | 1124 1125 | `extensions/v1beta1`, `networking.k8s.io/v1beta1` | `networking.k8s.io/v1` | 1126 1127 | `rbac.authorization.k8s.io/v1beta1` | `rbac.authorization.k8s.io/v1` | 1128 1129 | `scheduling.k8s.io/v1beta1` | `scheduling.k8s.io/v1` | 1130 1131 | `storage.k8s.io/v1beta1` | `storage.k8s.io/v1` | 1132 1133 1134 **Example**: 1135 1136 uniqueName: K8S_REMOVED_APIVERSION_1.22 1137 ruleId: prevent-removed-api-122 1138 yamlExamples: 1139 - apiVersion: admissionregistration.k8s.io/v1 1140 kind: MutatingWebhookConfiguration 1141 - id: 107 1142 title: >- 1143 Use a supported API version instead of the removed one: 1144 1145 | Removed API version | Supported API version | 1146 1147 |-------------|---------------| 1148 1149 | `rbac.authorization.k8s.io/v1alpha1` | `rbac.authorization.k8s.io/v1` | 1150 1151 | `scheduling.k8s.io/v1alpha1` | `scheduling.k8s.io/v1` | 1152 1153 1154 **Example**: 1155 1156 uniqueName: K8S_REMOVED_APIVERSION_1.23 1157 ruleId: prevent-removed-api-123 1158 yamlExamples: 1159 - apiVersion: rbac.authorization.k8s.io/v1 1160 kind: Role 1161 - id: 108 1162 title: >- 1163 Use a supported API version instead of the removed one: 1164 1165 1166 | Removed API version | Supported API version | 1167 1168 |-------------|---------------| 1169 1170 | `client.authentication.k8s.io/v1alpha1` | `client.authentication.k8s.io/v1` | 1171 1172 | `node.k8s.io/v1alpha1` | `node.k8s.io/v1` | 1173 1174 1175 **Example**: 1176 1177 uniqueName: K8S_REMOVED_APIVERSION_1.24 1178 ruleId: prevent-removed-api-124 1179 yamlExamples: 1180 - apiVersion: client.authentication.k8s.io/v1 1181 kind: ExecCredential 1182 - id: 109 1183 title: >- 1184 Use a supported API version instead of the removed one: 1185 1186 1187 | Removed API version | Supported API version | 1188 1189 |-------------|---------------| 1190 1191 | `batch/v1beta1` | `batch/v1` | 1192 1193 | `discovery.k8s.io/v1beta1` | `discovery.k8s.io/v1` | 1194 1195 | `events.k8s.io/v1beta1` | `events.k8s.io/v1` | 1196 1197 | `autoscaling/v2beta1` | `autoscaling/v2` | 1198 1199 | `policy/v1beta1` | `policy/v1` | 1200 1201 | `node.k8s.io/v1beta1` | `node.k8s.io/v1` | 1202 1203 1204 **Example**: 1205 1206 uniqueName: K8S_REMOVED_APIVERSION_1.25 1207 ruleId: prevent-removed-api-125 1208 yamlExamples: 1209 - apiVersion: events.k8s.io/v1 1210 kind: Event 1211 - id: 110 1212 title: >- 1213 Use a supported API version instead of the removed one: 1214 1215 1216 | Removed API version | Supported API version | 1217 1218 |-------------|---------------| 1219 1220 | `flowcontrol.apiserver.k8s.io/v1beta1` | `flowcontrol.apiserver.k8s.io/v1beta3` | 1221 1222 | `autoscaling/v2beta2` | `autoscaling/v2` | 1223 1224 1225 **Example**: 1226 1227 uniqueName: K8S_REMOVED_APIVERSION_1.26 1228 ruleId: prevent-removed-api-126 1229 yamlExamples: 1230 - apiVersion: autoscaling/v2 1231 kind: HorizontalPodAutoscaler 1232 - id: 111 1233 title: >- 1234 Use a supported API version instead of the removed one: 1235 1236 1237 | Removed API version | Supported API version | 1238 1239 |-------------|---------------| 1240 1241 | `storage.k8s.io/v1beta1` | `storage.k8s.io/v1` | 1242 1243 1244 **Example**: 1245 1246 uniqueName: K8S_REMOVED_APIVERSION_1.27 1247 ruleId: prevent-removed-api-127 1248 yamlExamples: 1249 - apiVersion: storage.k8s.io/v1 1250 kind: CSIStorageCapacity