KubeLinter

Alert on deployment-like objects that are not selected by any NetworkPolicy.

Alert on deployments that have no specified dnsConfig options

Indicates when a PodDisruptionBudget has a maxUnavailable value that will always prevent disruptions of pods created by related deployment-like objects.

Alert on deployments with docker.sock mounted in containers.

Indicates when containers do not drop NET_RAW capability

Check that duplicate named env vars aren't passed to a deployment like.

Indicates when objects use a secret in an environment variable.

Alert on services for forbidden types

Alert on pods/deployment-likes with sharing host's network namespace

Indicates when containers fail to specify a readiness probe.

Indicates when a deployment doesn't use a rolling update strategy

Indicates when pods reference a service account that is not found.

Indicates when a subject (Group/User/ServiceAccount) has create access to Pods. CIS Benchmark 5.1.4: The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

Indicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.

CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required

Indicates when HorizontalPodAutoscalers target a missing resource.

Indicates when ingress do not have any associated services.

Indicates when networkpolicies do not have any associated deployments.

Indicates when NetworkPolicyPeer in Egress/Ingress rules -in the Spec of NetworkPolicy- do not have any associated deployments. Applied on peer specified with podSelectors only.

Indicates when services do not have any associated deployments.