github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/k8s-cis-1.23.yaml (about) 1 --- 2 spec: 3 id: k8s-cis 4 title: CIS Kubernetes Benchmarks v1.23 5 description: CIS Kubernetes Benchmarks 6 version: "1.23" 7 relatedResources: 8 - https://www.cisecurity.org/benchmark/kubernetes 9 controls: 10 - id: 1.1.1 11 name: Ensure that the API server pod specification file permissions are set to 12 600 or more restrictive 13 description: Ensure that the API server pod specification file has permissions 14 of 600 or more restrictive 15 checks: 16 - id: AVD-KCV-0048 17 severity: HIGH 18 - id: 1.1.2 19 name: Ensure that the API server pod specification file ownership is set to 20 root:root 21 description: Ensure that the API server pod specification file ownership is set 22 to root:root 23 checks: 24 - id: AVD-KCV-0049 25 severity: HIGH 26 - id: 1.1.3 27 name: Ensure that the controller manager pod specification file permissions are 28 set to 600 or more restrictive 29 description: Ensure that the controller manager pod specification file has 30 permissions of 600 or more restrictive 31 checks: 32 - id: AVD-KCV-0050 33 severity: HIGH 34 - id: 1.1.4 35 name: Ensure that the controller manager pod specification file ownership is set 36 to root:root 37 description: Ensure that the controller manager pod specification file ownership 38 is set to root:root 39 checks: 40 - id: AVD-KCV-0051 41 severity: HIGH 42 - id: 1.1.5 43 name: Ensure that the scheduler pod specification file permissions are set to 44 600 or more restrictive 45 description: Ensure that the scheduler pod specification file has permissions of 46 600 or more restrictive 47 checks: 48 - id: AVD-KCV-0052 49 severity: HIGH 50 - id: 1.1.6 51 name: Ensure that the scheduler pod specification file ownership is set to 52 root:root 53 description: Ensure that the scheduler pod specification file ownership is set 54 to root:root 55 checks: 56 - id: AVD-KCV-0053 57 severity: HIGH 58 - id: 1.1.7 59 name: Ensure that the etcd pod specification file permissions are set to 600 or 60 more restrictive 61 description: Ensure that the etcd pod specification file has permissions of 600 62 or more restrictive 63 checks: 64 - id: AVD-KCV-0054 65 severity: HIGH 66 - id: 1.1.8 67 name: Ensure that the etcd pod specification file ownership is set to root:root 68 description: Ensure that the etcd pod specification file ownership is set to 69 root:root. 70 checks: 71 - id: AVD-KCV-0055 72 severity: HIGH 73 - id: 1.1.9 74 name: Ensure that the Container Network Interface file permissions are set to 75 600 or more restrictive 76 description: Ensure that the Container Network Interface files have permissions 77 of 600 or more restrictive 78 checks: 79 - id: AVD-KCV-0056 80 severity: HIGH 81 - id: 1.1.10 82 name: Ensure that the Container Network Interface file ownership is set to 83 root:root 84 description: Ensure that the Container Network Interface files have ownership 85 set to root:root 86 checks: 87 - id: AVD-KCV-0057 88 severity: HIGH 89 - id: 1.1.11 90 name: Ensure that the etcd data directory permissions are set to 700 or more 91 restrictive 92 description: Ensure that the etcd data directory has permissions of 700 or more 93 restrictive 94 checks: 95 - id: AVD-KCV-0058 96 severity: HIGH 97 - id: 1.1.12 98 name: Ensure that the etcd data directory ownership is set to etcd:etcd 99 description: Ensure that the etcd data directory ownership is set to etcd:etcd 100 checks: 101 - id: AVD-KCV-0059 102 severity: LOW 103 - id: 1.1.13 104 name: Ensure that the admin.conf file permissions are set to 600 105 description: Ensure that the admin.conf file has permissions of 600 106 checks: 107 - id: AVD-KCV-0060 108 severity: CRITICAL 109 - id: 1.1.14 110 name: Ensure that the admin.conf file ownership is set to root:root 111 description: Ensure that the admin.conf file ownership is set to root:root 112 checks: 113 - id: AVD-KCV-0061 114 severity: CRITICAL 115 - id: 1.1.15 116 name: Ensure that the scheduler.conf file permissions are set to 600 or more 117 restrictive 118 description: Ensure that the scheduler.conf file has permissions of 600 or more 119 restrictive 120 checks: 121 - id: AVD-KCV-0062 122 severity: HIGH 123 - id: 1.1.16 124 name: Ensure that the scheduler.conf file ownership is set to root:root 125 description: Ensure that the scheduler.conf file ownership is set to root:root 126 checks: 127 - id: AVD-KCV-0063 128 severity: HIGH 129 - id: 1.1.17 130 name: Ensure that the controller-manager.conf file permissions are set to 600 or 131 more restrictive 132 description: Ensure that the controller-manager.conf file has permissions of 600 133 or more restrictive 134 checks: 135 - id: AVD-KCV-0064 136 severity: HIGH 137 - id: 1.1.18 138 name: Ensure that the controller-manager.conf file ownership is set to root:root 139 description: Ensure that the controller-manager.conf file ownership is set to 140 root:root. 141 checks: 142 - id: AVD-KCV-0065 143 severity: HIGH 144 - id: 1.1.19 145 name: Ensure that the Kubernetes PKI directory and file ownership is set to 146 root:root 147 description: Ensure that the Kubernetes PKI directory and file ownership is set 148 to root:root 149 checks: 150 - id: AVD-KCV-0066 151 severity: CRITICAL 152 - id: 1.1.20 153 name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 154 or more restrictive 155 description: Ensure that Kubernetes PKI certificate files have permissions of 156 600 or more restrictive 157 checks: 158 - id: AVD-KCV-0068 159 severity: CRITICAL 160 - id: 1.1.21 161 name: Ensure that the Kubernetes PKI key file permissions are set to 600 162 description: Ensure that Kubernetes PKI key files have permissions of 600 163 checks: 164 - id: AVD-KCV-0067 165 severity: CRITICAL 166 - id: 1.2.1 167 name: Ensure that the --anonymous-auth argument is set to false 168 description: Disable anonymous requests to the API server 169 checks: 170 - id: AVD-KCV-0001 171 severity: MEDIUM 172 - id: 1.2.2 173 name: Ensure that the --token-auth-file parameter is not set 174 description: Do not use token based authentication 175 checks: 176 - id: AVD-KCV-0002 177 severity: LOW 178 - id: 1.2.3 179 name: Ensure that the --DenyServiceExternalIPs is not set 180 description: This admission controller rejects all net-new usage of the Service 181 field externalIPs 182 checks: 183 - id: AVD-KCV-0003 184 severity: LOW 185 - id: 1.2.4 186 name: Ensure that the --kubelet-https argument is set to true 187 description: Use https for kubelet connections 188 checks: 189 - id: AVD-KCV-0004 190 severity: LOW 191 - id: 1.2.5 192 name: Ensure that the --kubelet-client-certificate and --kubelet-client-key 193 arguments are set as appropriate 194 description: Enable certificate based kubelet authentication 195 checks: 196 - id: AVD-KCV-0005 197 severity: HIGH 198 - id: 1.2.6 199 name: Ensure that the --kubelet-certificate-authority argument is set as 200 appropriate 201 description: Verify kubelets certificate before establishing connection 202 checks: 203 - id: AVD-KCV-0006 204 severity: HIGH 205 - id: 1.2.7 206 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow 207 description: Do not always authorize all requests 208 checks: 209 - id: AVD-KCV-0007 210 severity: LOW 211 - id: 1.2.8 212 name: Ensure that the --authorization-mode argument includes Node 213 description: Restrict kubelet nodes to reading only objects associated with them 214 checks: 215 - id: AVD-KCV-0008 216 severity: HIGH 217 - id: 1.2.9 218 name: Ensure that the --authorization-mode argument includes RBAC 219 description: Turn on Role Based Access Control 220 checks: 221 - id: AVD-KCV-0009 222 severity: HIGH 223 - id: 1.2.10 224 name: Ensure that the admission control plugin EventRateLimit is set 225 description: Limit the rate at which the API server accepts requests 226 checks: 227 - id: AVD-KCV-0010 228 severity: HIGH 229 - id: 1.2.11 230 name: Ensure that the admission control plugin AlwaysAdmit is not set 231 description: Do not allow all requests 232 checks: 233 - id: AVD-KCV-0011 234 severity: LOW 235 - id: 1.2.12 236 name: Ensure that the admission control plugin AlwaysPullImages is set 237 description: Always pull images 238 checks: 239 - id: AVD-KCV-0012 240 severity: MEDIUM 241 - id: 1.2.13 242 name: Ensure that the admission control plugin SecurityContextDeny is set if 243 PodSecurityPolicy is not used 244 description: The SecurityContextDeny admission controller can be used to deny 245 pods which make use of some SecurityContext fields which could allow for 246 privilege escalation in the cluster. This should be used where 247 PodSecurityPolicy is not in place within the cluster 248 checks: 249 - id: AVD-KCV-0013 250 severity: MEDIUM 251 - id: 1.2.14 252 name: Ensure that the admission control plugin ServiceAccount is set 253 description: Automate service accounts management 254 checks: 255 - id: AVD-KCV-0014 256 severity: LOW 257 - id: 1.2.15 258 name: Ensure that the admission control plugin NamespaceLifecycle is set 259 description: Reject creating objects in a namespace that is undergoing termination 260 checks: 261 - id: AVD-KCV-0015 262 severity: LOW 263 - id: 1.2.16 264 name: Ensure that the admission control plugin NodeRestriction is set 265 description: Limit the Node and Pod objects that a kubelet could modify 266 checks: 267 - id: AVD-KCV-0016 268 severity: LOW 269 - id: 1.2.17 270 name: Ensure that the --secure-port argument is not set to 0 271 description: Do not disable the secure port 272 checks: 273 - id: AVD-KCV-0017 274 severity: HIGH 275 - id: 1.2.18 276 name: Ensure that the --profiling argument is set to false 277 description: Disable profiling, if not needed 278 checks: 279 - id: AVD-KCV-0018 280 severity: LOW 281 - id: 1.2.19 282 name: Ensure that the --audit-log-path argument is set 283 description: Enable auditing on the Kubernetes API Server and set the desired 284 audit log path. 285 checks: 286 - id: AVD-KCV-0019 287 severity: LOW 288 - id: 1.2.20 289 name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate 290 description: Retain the logs for at least 30 days or as appropriate 291 checks: 292 - id: AVD-KCV-0020 293 severity: LOW 294 - id: 1.2.21 295 name: Ensure that the --audit-log-maxbackup argument is set to 10 or as 296 appropriate 297 description: Retain 10 or an appropriate number of old log file 298 checks: 299 - id: AVD-KCV-0021 300 severity: LOW 301 - id: 1.2.22 302 name: Ensure that the --audit-log-maxsize argument is set to 100 or as 303 appropriate 304 description: Rotate log files on reaching 100 MB or as appropriate 305 checks: 306 - id: AVD-KCV-0022 307 severity: LOW 308 - id: 1.2.24 309 name: Ensure that the --service-account-lookup argument is set to true 310 description: Validate service account before validating token 311 checks: 312 - id: AVD-KCV-0024 313 severity: LOW 314 - id: 1.2.25 315 name: Ensure that the --service-account-key-file argument is set as appropriate 316 description: Explicitly set a service account public key file for service 317 accounts on the apiserver 318 checks: 319 - id: AVD-KCV-0025 320 severity: LOW 321 - id: 1.2.26 322 name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as 323 appropriate 324 description: etcd should be configured to make use of TLS encryption for client 325 connections 326 checks: 327 - id: AVD-KCV-0026 328 severity: LOW 329 - id: 1.2.27 330 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are 331 set as appropriate 332 description: Setup TLS connection on the API server 333 checks: 334 - id: AVD-KCV-0027 335 severity: MEDIUM 336 - id: 1.2.28 337 name: Ensure that the --client-ca-file argument is set appropriate 338 description: Setup TLS connection on the API server 339 checks: 340 - id: AVD-KCV-0028 341 severity: LOW 342 - id: 1.2.29 343 name: Ensure that the --etcd-cafile argument is set as appropriate 344 description: etcd should be configured to make use of TLS encryption for client 345 connections. 346 checks: 347 - id: AVD-KCV-0029 348 severity: LOW 349 - id: 1.2.30 350 name: Ensure that the --encryption-provider-config argument is set as 351 appropriate 352 description: Encrypt etcd key-value store 353 checks: 354 - id: AVD-KCV-0030 355 severity: LOW 356 - id: 1.3.1 357 name: Ensure that the --terminated-pod-gc-threshold argument is set as 358 appropriate 359 description: Activate garbage collector on pod termination, as appropriate 360 checks: 361 - id: AVD-KCV-0033 362 severity: MEDIUM 363 - id: 1.3.3 364 name: Ensure that the --use-service-account-credentials argument is set to true 365 description: Use individual service account credentials for each controller 366 checks: 367 - id: AVD-KCV-0035 368 severity: MEDIUM 369 - id: 1.3.4 370 name: Ensure that the --service-account-private-key-file argument is set as 371 appropriate 372 description: Explicitly set a service account private key file for service 373 accounts on the controller manager 374 checks: 375 - id: AVD-KCV-0036 376 severity: MEDIUM 377 - id: 1.3.5 378 name: Ensure that the --root-ca-file argument is set as appropriate 379 description: Allow pods to verify the API servers serving certificate before 380 establishing connections 381 checks: 382 - id: AVD-KCV-0037 383 severity: MEDIUM 384 - id: 1.3.6 385 name: Ensure that the RotateKubeletServerCertificate argument is set to true 386 description: Enable kubelet server certificate rotation on controller-manager 387 checks: 388 - id: AVD-KCV-0038 389 severity: MEDIUM 390 - id: 1.3.7 391 name: Ensure that the --bind-address argument is set to 127.0.0.1 392 description: Do not bind the scheduler service to non-loopback insecure addresses 393 checks: 394 - id: AVD-KCV-0039 395 severity: LOW 396 - id: 1.4.1 397 name: Ensure that the --profiling argument is set to false 398 description: Disable profiling, if not needed 399 checks: 400 - id: AVD-KCV-0034 401 severity: MEDIUM 402 - id: 1.4.2 403 name: Ensure that the --bind-address argument is set to 127.0.0.1 404 description: Do not bind the scheduler service to non-loopback insecure addresses 405 checks: 406 - id: AVD-KCV-0041 407 severity: CRITICAL 408 - id: 2.1 409 name: Ensure that the --cert-file and --key-file arguments are set as 410 appropriate 411 description: Configure TLS encryption for the etcd service 412 checks: 413 - id: AVD-KCV-0042 414 severity: MEDIUM 415 - id: 2.2 416 name: Ensure that the --client-cert-auth argument is set to true 417 description: Enable client authentication on etcd service 418 checks: 419 - id: AVD-KCV-0043 420 severity: CRITICAL 421 - id: 2.3 422 name: Ensure that the --auto-tls argument is not set to true 423 description: Do not use self-signed certificates for TLS 424 checks: 425 - id: AVD-KCV-0044 426 severity: CRITICAL 427 - id: 2.4 428 name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as 429 appropriate 430 description: etcd should be configured to make use of TLS encryption for peer 431 connections. 432 checks: 433 - id: AVD-KCV-0045 434 severity: CRITICAL 435 - id: 2.5 436 name: Ensure that the --peer-client-cert-auth argument is set to true 437 description: etcd should be configured for peer authentication 438 checks: 439 - id: AVD-KCV-0046 440 severity: CRITICAL 441 - id: 2.6 442 name: Ensure that the --peer-auto-tls argument is not set to true 443 description: Do not use self-signed certificates for TLS 444 checks: 445 - id: AVD-KCV-0047 446 severity: HIGH 447 - id: 3.1.1 448 name: Client certificate authentication should not be used for users (Manual) 449 description: Kubernetes provides the option to use client certificates for user 450 authentication. However as there is no way to revoke these certificates 451 when a user leaves an organization or loses their credential, they are 452 not suitable for this purpose 453 checks: null 454 severity: HIGH 455 - id: 3.2.1 456 name: Ensure that a minimal audit policy is created (Manual) 457 description: Kubernetes can audit the details of requests made to the API 458 server. The --audit- policy-file flag must be set for this logging to be 459 enabled. 460 checks: null 461 severity: HIGH 462 - id: 3.2.2 463 name: Ensure that the audit policy covers key security concerns (Manual) 464 description: Ensure that the audit policy created for the cluster covers key 465 security concerns 466 checks: null 467 severity: HIGH 468 - id: 4.1.1 469 name: Ensure that the kubelet service file permissions are set to 600 or more 470 restrictive 471 description: Ensure that the kubelet service file has permissions of 600 or more 472 restrictive. 473 checks: 474 - id: AVD-KCV-0069 475 severity: HIGH 476 - id: 4.1.2 477 name: Ensure that the kubelet service file ownership is set to root:root 478 description: Ensure that the kubelet service file ownership is set to root:root 479 checks: 480 - id: AVD-KCV-0070 481 severity: HIGH 482 - id: 4.1.3 483 name: If proxy kubeconfig file exists ensure permissions are set to 600 or more 484 restrictive 485 description: If kube-proxy is running, and if it is using a file-based 486 kubeconfig file, ensure that the proxy kubeconfig file has permissions 487 of 600 or more restrictive 488 checks: 489 - id: AVD-KCV-0071 490 severity: HIGH 491 - id: 4.1.4 492 name: If proxy kubeconfig file exists ensure ownership is set to root:root 493 description: If kube-proxy is running, ensure that the file ownership of its 494 kubeconfig file is set to root:root 495 checks: 496 - id: AVD-KCV-0072 497 severity: HIGH 498 - id: 4.1.5 499 name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 500 or more restrictive 501 description: Ensure that the kubelet.conf file has permissions of 600 or more 502 restrictive 503 checks: 504 - id: AVD-KCV-0073 505 severity: HIGH 506 - id: 4.1.6 507 name: Ensure that the --kubeconfig kubelet.conf file ownership is set to 508 root:root 509 description: Ensure that the kubelet.conf file ownership is set to root:root 510 checks: 511 - id: AVD-KCV-0074 512 severity: HIGH 513 - id: 4.1.7 514 name: Ensure that the certificate authorities file permissions are set to 600 or 515 more restrictive 516 description: Ensure that the certificate authorities file has permissions of 600 517 or more restrictive 518 checks: 519 - id: AVD-KCV-0075 520 severity: CRITICAL 521 - id: 4.1.8 522 name: Ensure that the client certificate authorities file ownership is set to 523 root:root 524 description: Ensure that the certificate authorities file ownership is set to 525 root:root 526 checks: 527 - id: AVD-KCV-0076 528 severity: CRITICAL 529 - id: 4.1.9 530 name: If the kubelet config.yaml configuration file is being used validate 531 permissions set to 600 or more restrictive 532 description: Ensure that if the kubelet refers to a configuration file with the 533 --config argument, that file has permissions of 600 or more restrictive 534 checks: 535 - id: AVD-KCV-0077 536 severity: HIGH 537 - id: 4.1.10 538 name: If the kubelet config.yaml configuration file is being used validate file 539 ownership is set to root:root 540 description: Ensure that if the kubelet refers to a configuration file with the 541 --config argument, that file is owned by root:root 542 checks: 543 - id: AVD-KCV-0078 544 severity: HIGH 545 - id: 4.2.1 546 name: Ensure that the --anonymous-auth argument is set to false 547 description: Disable anonymous requests to the Kubelet server 548 checks: 549 - id: AVD-KCV-0079 550 severity: CRITICAL 551 - id: 4.2.2 552 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow 553 description: Do not allow all requests. Enable explicit authorization 554 checks: 555 - id: AVD-KCV-0080 556 severity: CRITICAL 557 - id: 4.2.3 558 name: Ensure that the --client-ca-file argument is set as appropriate 559 description: Enable Kubelet authentication using certificates 560 checks: 561 - id: AVD-KCV-0081 562 severity: CRITICAL 563 - id: 4.2.4 564 name: Verify that the --read-only-port argument is set to 0 565 description: Disable the read-only port 566 checks: 567 - id: AVD-KCV-0082 568 severity: HIGH 569 - id: 4.2.5 570 name: Ensure that the --streaming-connection-idle-timeout argument is not set to 571 0 572 description: Do not disable timeouts on streaming connections 573 checks: 574 - id: AVD-KCV-0085 575 severity: HIGH 576 - id: 4.2.6 577 name: Ensure that the --protect-kernel-defaults argument is set to true 578 description: Protect tuned kernel parameters from overriding kubelet default 579 kernel parameter values 580 checks: 581 - id: AVD-KCV-0083 582 severity: HIGH 583 - id: 4.2.7 584 name: Ensure that the --make-iptables-util-chains argument is set to true 585 description: Allow Kubelet to manage iptables 586 checks: 587 - id: AVD-KCV-0084 588 severity: HIGH 589 - id: 4.2.8 590 name: Ensure that the --hostname-override argument is not set 591 description: Do not override node hostnames 592 checks: 593 - id: AVD-KCV-0086 594 severity: HIGH 595 - id: 4.2.9 596 name: Ensure that the --event-qps argument is set to 0 or a level which ensures 597 appropriate event capture 598 description: Security relevant information should be captured. The --event-qps 599 flag on the Kubelet can be used to limit the rate at which events are 600 gathered 601 checks: 602 - id: AVD-KCV-0087 603 severity: HIGH 604 - id: 4.2.10 605 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are 606 set as appropriate 607 description: Setup TLS connection on the Kubelets 608 checks: 609 - id: AVD-KCV-0088 610 - id: AVD-KCV-0089 611 severity: CRITICAL 612 - id: 4.2.11 613 name: Ensure that the --rotate-certificates argument is not set to false 614 description: Enable kubelet client certificate rotation 615 checks: 616 - id: AVD-KCV-0090 617 severity: CRITICAL 618 - id: 4.2.12 619 name: Verify that the RotateKubeletServerCertificate argument is set to true 620 description: Enable kubelet server certificate rotation 621 checks: 622 - id: AVD-KCV-0091 623 severity: CRITICAL 624 - id: 4.2.13 625 name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers 626 description: Ensure that the Kubelet is configured to only use strong 627 cryptographic ciphers 628 checks: 629 - id: AVD-KCV-0092 630 severity: CRITICAL 631 - id: 5.1.1 632 name: Ensure that the cluster-admin role is only used where required 633 description: The RBAC role cluster-admin provides wide-ranging powers over the 634 environment and should be used only where and when needed 635 checks: 636 - id: AVD-KSV-0111 637 severity: HIGH 638 - id: 5.1.2 639 name: Minimize access to secrets 640 description: The Kubernetes API stores secrets, which may be service account 641 tokens for the Kubernetes API or credentials used by workloads in the 642 cluster 643 checks: 644 - id: AVD-KSV-0041 645 severity: HIGH 646 - id: 5.1.3 647 name: Minimize wildcard use in Roles and ClusterRoles 648 description: Kubernetes Roles and ClusterRoles provide access to resources based 649 on sets of objects and actions that can be taken on those objects. It is 650 possible to set either of these to be the wildcard "*" which matches all 651 items 652 checks: 653 - id: AVD-KSV-0044 654 - id: AVD-KSV-0045 655 - id: AVD-KSV-0046 656 severity: HIGH 657 - id: 5.1.6 658 name: Ensure that Service Account Tokens are only mounted where necessary 659 description: Service accounts tokens should not be mounted in pods except where 660 the workload running in the pod explicitly needs to communicate with the 661 API server 662 checks: 663 - id: AVD-KSV-0036 664 severity: HIGH 665 - id: 5.1.8 666 name: Limit use of the Bind, Impersonate and Escalate permissions in the 667 Kubernetes cluster 668 description: Cluster roles and roles with the impersonate, bind or escalate 669 permissions should not be granted unless strictly required 670 checks: 671 - id: AVD-KSV-0043 672 severity: HIGH 673 - id: 5.2.2 674 name: Minimize the admission of privileged containers 675 description: Do not generally permit containers to be run with the 676 securityContext.privileged flag set to true 677 checks: 678 - id: AVD-KSV-0017 679 severity: HIGH 680 - id: 5.2.3 681 name: Minimize the admission of containers wishing to share the host process ID 682 namespace 683 description: Do not generally permit containers to be run with the hostPID flag 684 set to true. 685 checks: 686 - id: AVD-KSV-0010 687 severity: HIGH 688 - id: 5.2.4 689 name: Minimize the admission of containers wishing to share the host IPC 690 namespace 691 description: Do not generally permit containers to be run with the hostIPC flag 692 set to true 693 checks: 694 - id: AVD-KSV-0008 695 severity: HIGH 696 - id: 5.2.5 697 name: Minimize the admission of containers wishing to share the host network 698 namespace 699 description: Do not generally permit containers to be run with the hostNetwork 700 flag set to true 701 checks: 702 - id: AVD-KSV-0009 703 severity: HIGH 704 - id: 5.2.6 705 name: Minimize the admission of containers with allowPrivilegeEscalation 706 description: Do not generally permit containers to be run with the 707 allowPrivilegeEscalation flag set to true 708 checks: 709 - id: AVD-KSV-0001 710 severity: HIGH 711 - id: 5.2.7 712 name: Minimize the admission of root containers 713 description: Do not generally permit containers to be run as the root user 714 checks: 715 - id: AVD-KSV-0012 716 severity: MEDIUM 717 - id: 5.2.8 718 name: Minimize the admission of containers with the NET_RAW capability 719 description: Do not generally permit containers with the potentially dangerous 720 NET_RAW capability 721 checks: 722 - id: AVD-KSV-0022 723 severity: MEDIUM 724 - id: 5.2.9 725 name: Minimize the admission of containers with added capabilities 726 description: Do not generally permit containers with capabilities assigned 727 beyond the default set 728 checks: 729 - id: AVD-KSV-0004 730 severity: LOW 731 - id: 5.2.10 732 name: Minimize the admission of containers with capabilities assigned 733 description: Do not generally permit containers with capabilities 734 checks: 735 - id: AVD-KSV-0003 736 severity: LOW 737 - id: 5.2.11 738 name: Minimize the admission of containers with capabilities assigned 739 description: Do not generally permit containers with capabilities 740 checks: 741 - id: AVD-KSV-0103 742 severity: MEDIUM 743 - id: 5.2.12 744 name: Minimize the admission of HostPath volumes 745 description: Do not generally admit containers which make use of hostPath volumes 746 checks: 747 - id: AVD-KSV-0023 748 severity: MEDIUM 749 - id: 5.2.13 750 name: Minimize the admission of containers which use HostPorts 751 description: Do not generally permit containers which require the use of HostPorts 752 checks: 753 - id: AVD-KSV-0024 754 severity: MEDIUM 755 - id: 5.3.1 756 name: Ensure that the CNI in use supports Network Policies (Manual) 757 description: There are a variety of CNI plugins available for Kubernetes. If the 758 CNI in use does not support Network Policies it may not be possible to 759 effectively restrict traffic in the cluster 760 checks: null 761 severity: MEDIUM 762 - id: 5.3.2 763 name: Ensure that all Namespaces have Network Policies defined 764 description: Use network policies to isolate traffic in your cluster network 765 checks: 766 - id: AVD-KSV-0038 767 severity: MEDIUM 768 - id: 5.4.1 769 name: Prefer using secrets as files over secrets as environment variables 770 (Manual) 771 description: Kubernetes supports mounting secrets as data volumes or as 772 environment variables. Minimize the use of environment variable secrets 773 checks: null 774 severity: MEDIUM 775 - id: 5.4.2 776 name: Consider external secret storage (Manual) 777 description: Consider the use of an external secrets storage and management 778 system, instead of using Kubernetes Secrets directly, if you have more 779 complex secret management needs 780 checks: null 781 severity: MEDIUM 782 - id: 5.5.1 783 name: Configure Image Provenance using ImagePolicyWebhook admission controller 784 (Manual) 785 description: Configure Image Provenance for your deployment 786 checks: null 787 severity: MEDIUM 788 - id: 5.7.1 789 name: Create administrative boundaries between resources using namespaces 790 (Manual) 791 description: Use namespaces to isolate your Kubernetes objects 792 checks: null 793 severity: MEDIUM 794 - id: 5.7.2 795 name: Ensure that the seccomp profile is set to docker/default in your pod 796 definitions 797 description: Enable docker/default seccomp profile in your pod definitions 798 checks: 799 - id: AVD-KSV-0104 800 severity: MEDIUM 801 - id: 5.7.3 802 name: Apply Security Context to Your Pods and Containers 803 description: Apply Security Context to Your Pods and Containers 804 checks: 805 - id: AVD-KSV-0021 806 - id: AVD-KSV-0020 807 - id: AVD-KSV-0005 808 - id: AVD-KSV-0025 809 - id: AVD-KSV-0104 810 - id: AVD-KSV-0030 811 severity: HIGH 812 - id: 5.7.4 813 name: The default namespace should not be used 814 description: Kubernetes provides a default namespace, where objects are placed 815 if no namespace is specified for them 816 checks: 817 - id: AVD-KSV-0110 818 severity: MEDIUM