Alert on pods/deployment-likes with sharing host's process namespace
Indicates when a subject (Group/User/ServiceAccount) has create access to Pods. CIS Benchmark 5.1.4: The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Indicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
cluster admin
role should be used only where required KUBELIN-W1003CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required
scaleTargetRef
in HorizontalPodAutoscaler
KUBELIN-W1004Indicates when HorizontalPodAutoscalers target a missing resource.
Indicates when ingress do not have any associated services.
Indicates when networkpolicies do not have any associated deployments.
Indicates when NetworkPolicyPeer in Egress/Ingress rules -in the Spec of NetworkPolicy- do not have any associated deployments. Applied on peer specified with podSelectors only.
Indicates when services do not have any associated deployments.
Indicates when pods use the default service account.
serviceAccount
field in deployments KUBELIN-W1010Indicates when deployments use the deprecated serviceAccount field.
dnsConfig
options in deployments KUBELIN-W1011Alert on deployments that have no specified dnsConfig options
docker.sock
volume mounted in containers KUBELIN-W1012Alert on deployments with docker.sock mounted in containers.
NET_RAW
capability KUBELIN-W1013Indicates when containers do not drop NET_RAW capability
Check that duplicate named env vars aren't passed to a deployment like.
Indicates when objects use a secret in an environment variable.
Alert on services for forbidden types
Alert on pods/deployment-likes with sharing host's network namespace
minReplicas
in HorizontalPodAutoscaler
KUBELIN-W1020Indicates when a HorizontalPodAutoscaler specifies less than three minReplicas
Indicates when deployments or services are using port names that are violating specifications.