github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/k8s-pss-restricted.yaml (about) 1 spec: 2 id: "k8s-pss-restricted" 3 title: "Kubernetes Pod Security Standards - Restricted" 4 description: Kubernetes Pod Security Standards - Restricted 5 relatedResources : 6 - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted 7 version: "0.1" 8 controls: 9 - name: HostProcess 10 description: "Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy" 11 id: "1" 12 checks: 13 - id: AVD-KSV-0103 14 severity: 'HIGH' 15 - name: Host Namespaces 16 description: "Sharing the host namespaces must be disallowed." 17 id: "2" 18 checks: 19 - id: AVD-KSV-0008 20 severity: 'HIGH' 21 - name: Privileged Containers 22 description: "Privileged Pods disable most security mechanisms and must be disallowed." 23 id: "3" 24 checks: 25 - id: AVD-KSV-0017 26 severity: 'HIGH' 27 - name: Capabilities 28 description: "Adding additional capabilities beyond those listed below must be disallowed." 29 id: "4" 30 checks: 31 - id: AVD-KSV-0022 32 severity: 'MEDIUM' 33 - name: HostPath Volumes 34 description: "HostPath volumes must be forbidden." 35 id: "5" 36 checks: 37 - id: AVD-KSV-0023 38 severity: 'MEDIUM' 39 - name: host ports 40 description: "hostports should be disallowed, or at minimum restricted to a known list." 41 id: "6" 42 checks: 43 - id: avd-ksv-0024 44 severity: 'HIGH' 45 - name: AppArmor 46 description: "On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles." 47 id: "7" 48 checks: 49 - id: avd-ksv-0002 50 severity: 'HIGH' 51 - name: SELinux 52 description: "Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden." 53 id: "8" 54 checks: 55 - id: avd-ksv-0025 56 severity: 'MEDIUM' 57 - name: "/proc Mount Type" 58 description: "The default /proc masks are set up to reduce attack surface, and should be required." 59 id: "9" 60 checks: 61 - id: avd-ksv-0027 62 severity: 'MEDIUM' 63 - name: "Seccomp" 64 description: "Seccomp profile must not be explicitly set to Unconfined." 65 id: "10" 66 checks: 67 - id: avd-ksv-0104 68 severity: 'MEDIUM' 69 - name: "Sysctls" 70 description: 'Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.' 71 id: "11" 72 checks: 73 - id: avd-ksv-0026 74 severity: 'MEDIUM' 75 - name: "Volume Types" 76 description: 'The restricted policy only permits specific volume types.' 77 id: "12" 78 checks: 79 - id: avd-ksv-0028 80 severity: 'LOW' 81 - name: "Privilege Escalation" 82 description: 'Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.' 83 id: "13" 84 checks: 85 - id: avd-ksv-0001 86 severity: 'MEDIUM' 87 - name: "Running as Non-root" 88 description: 'Containers must be required to run as non-root users.' 89 id: "14" 90 checks: 91 - id: avd-ksv-0012 92 severity: 'MEDIUM' 93 - name: "Running as Non-root user" 94 description: 'Containers must not set runAsUser to 0' 95 id: "15" 96 checks: 97 - id: avd-ksv-0105 98 severity: 'LOW' 99 - name: "Seccomp" 100 description: 'Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited' 101 id: "16" 102 checks: 103 - id: avd-ksv-0030 104 severity: 'LOW' 105 - name: "Capabilities" 106 description: 'Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.' 107 id: "17" 108 checks: 109 - id: avd-ksv-0106 110 severity: 'LOW' 111