AC_K8S_0092 | Ensure that the --kubelet-https argument is set to true | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0095 | Ensure that the --authorization-mode argument includes Node | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0102 | Ensure impersonate access to Kubernetes resources is minimized in Kubernetes Role | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0108 | Ensure Kubernetes rolebindings with get and patch Kubernetes roles are minimized in Kubernetes Role | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0110 | Ensure that the Tiller Service (Helm v2) is not deployed for Kubernetes service | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0119 | Ensure protocols are explicitly declared where possible for Istio Services | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0122 | Ensure DENY-with-negative-matching exist for Istio Authorization Object | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0127 | Ensure metadata annotations are restricted in an Ingress object | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0130 | Ensure that the --profiling argument is set to false | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0003 | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | Infrastructure Security | LOW |
AC_K8S_0045 | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0066 | Ensure that a minimal audit policy is created | Kubernetes | Logging and Monitoring | MEDIUM |
AC_K8S_0080 | Ensure that the seccomp profile is set to docker/default in pod definitions | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0083 | Minimize the admission of containers wishing to share the host IPC namespace | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0085 | Minimize the admission of containers with allowPrivilegeEscalation | Kubernetes | Compliance Validation | HIGH |
AC_K8S_0089 | Ensure that the Anonymous Auth is Not Enabled | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0113 | Ensure that default service accounts are not actively used. | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0128 | Minimize the admission of containers with added capabilities | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0025 | Ensure default name space is not in use in Kubernetes Namespace | Kubernetes | Security Best Practices | LOW |
AC_K8S_0031 | Ensure that the --audit-log-path argument is set | Kubernetes | Logging and Monitoring | MEDIUM |
AC_K8S_0034 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | Logging and Monitoring | MEDIUM |
AC_K8S_0043 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0048 | Ensure default routes are set for Istio services | Kubernetes | Security Best Practices | LOW |
AC_K8S_0059 | Ensure that the --client-cert-auth argument is set to true | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0061 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0068 | Ensure image tag is set in Kubernetes workload configuration | Kubernetes | Security Best Practices | LOW |
AC_K8S_0069 | Ensure that every container image has a hash digest in all Kubernetes workloads | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0070 | Ensure liveness probe is configured for containers in all Kubernetes workloads | Kubernetes | Security Best Practices | LOW |
AC_K8S_0072 | Ensure readiness probe is configured for containers in all Kubernetes workloads | Kubernetes | Security Best Practices | LOW |
AC_K8S_0073 | Ensure AppArmor profile is not set to runtime/default in Kubernetes workload configuration | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0077 | Ensure 'procMount' is set to default in all Kubernetes workloads | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0079 | Ensure containers run with a high UID usually > 1000 to avoid host conflict | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0081 | Ensure only allowed volume types are mounted for all Kubernetes workloads | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0096 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0099 | Ensure Memory request is set for Kubernetes workloads | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0100 | Ensure Memory request is set for Kubernetes workloads | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0112 | Ensure the use of externalIPs is restricted for Kubernetes service | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0114 | Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service | Kubernetes | Infrastructure Security | LOW |
AC_K8S_0123 | Ensure TLS verification is enabled in Istio Destination Rules | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0131 | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0004 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | Logging and Monitoring | LOW |
AC_K8S_0007 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0056 | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0064 | Apply Security Context to Your Pods and Containers | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0086 | The default namespace should not be used | Kubernetes | Security Best Practices | LOW |
AC_K8S_0087 | Minimize the admission of root containers | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0103 | Minimize access to create pods | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0013 | Ensure an owner key with proper label is set for Kubernetes namespace | Kubernetes | Security Best Practices | LOW |
AC_K8S_0014 | Ensure Kubernetes Network policy does not allow ingress from public IPs to query DNS | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0015 | Ensure Kubernetes Network policy does not allow ingress from public IPs to SSH | Kubernetes | Infrastructure Security | HIGH |