github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/k8s-pss-baseline.yaml

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/k8s-pss-baseline.yaml (about)

     1  spec:
     2    id: "k8s-pss-baseline"
     3    title: "Kubernetes Pod Security Standards - Baseline"
     4    description: Kubernetes Pod Security Standards - Baseline
     5    relatedResources :
     6      - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
     7    version: "0.1"
     8    controls:
     9      - name: HostProcess 
    10        description: "Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy" 
    11        id: "1"
    12        checks:
    13          - id: AVD-KSV-0103
    14        severity: 'HIGH'
    15      - name: Host Namespaces
    16        description: "Sharing the host namespaces must be disallowed." 
    17        id: "2"
    18        checks:
    19          - id: AVD-KSV-0008
    20        severity: 'HIGH'
    21      - name: Privileged Containers
    22        description: "Privileged Pods disable most security mechanisms and must be disallowed." 
    23        id: "3"
    24        checks:
    25          - id: AVD-KSV-0017
    26        severity: 'HIGH'
    27      - name: Capabilities
    28        description: "Adding additional capabilities beyond those listed below must be disallowed."
    29        id: "4"
    30        checks:
    31          - id: AVD-KSV-0022
    32        severity: 'MEDIUM'
    33      - name: HostPath Volumes
    34        description: "HostPath volumes must be forbidden."
    35        id: "5"
    36        checks:
    37          - id: AVD-KSV-0023
    38        severity: 'MEDIUM'
    39      - name: host ports
    40        description: "hostports should be disallowed, or at minimum restricted to a known list."
    41        id: "6"
    42        checks:
    43          - id: avd-ksv-0024
    44        severity: 'HIGH'
    45      - name: AppArmor
    46        description: "On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles."
    47        id: "7"
    48        checks:
    49          - id: avd-ksv-0002
    50        severity: 'HIGH'
    51      - name: SELinux
    52        description: "Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden."
    53        id: "8"
    54        checks:
    55          - id: avd-ksv-0025
    56        severity: 'MEDIUM'
    57      - name: "/proc Mount Type"
    58        description: "The default /proc masks are set up to reduce attack surface, and should be required."
    59        id: "9"
    60        checks:
    61          - id: avd-ksv-0027
    62        severity: 'MEDIUM'
    63      - name: "Seccomp"
    64        description: "Seccomp profile must not be explicitly set to Unconfined."
    65        id: "10"
    66        checks:
    67          - id: avd-ksv-0104
    68        severity: 'MEDIUM'
    69      - name: "Sysctls"
    70        description: 'Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.'
    71        id: "11"
    72        checks:
    73          - id: avd-ksv-0026
    74        severity: 'MEDIUM'
    75