AC_K8S_0011 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | Compliance Validation | LOW |
AC_K8S_0012 | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | Identity and Access Management | LOW |
AC_K8S_0022 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0027 | Ensure that the --insecure-bind-address argument is not set | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0028 | Ensure that the --insecure-port argument is set to 0 | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0037 | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0038 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0041 | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0047 | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0049 | Ensure ALLOW-with-positive-matching exist for Istio Authorization Object | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0050 | Ensure custom snippets annotations is not set to true for Ingress-nginx controller deployment's Kubernetes Config Map | Kubernetes | Security Best Practices | HIGH |
AC_K8S_0057 | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0058 | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0075 | Minimize the admission of containers with the NET_RAW capability | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0076 | Ensure mounting of hostPaths is disallowed in Kubernetes workload configuration | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0084 | Minimize the admission of containers wishing to share the host network namespace | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0097 | Ensure CPU request is set for Kubernetes workloads | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0101 | Minimize access to secrets | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0105 | Ensure use of creating Kubernetes rolebindings and attaching Kubernetes roles is minimized in Kubernetes Role | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0109 | Ensure that the --secure-port argument is not set to 0 | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0117 | Ensure Kubernetes NetworkPolicy object is defined for every Kubernetes Namespace | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0118 | Ensure overly broad host configuration is not allowed for Istio Gateway | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0129 | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0004 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | Logging and Monitoring | LOW |
AC_K8S_0007 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0025 | Ensure default name space is not in use in Kubernetes Namespace | Kubernetes | Security Best Practices | LOW |
AC_K8S_0031 | Ensure that the --audit-log-path argument is set | Kubernetes | Logging and Monitoring | MEDIUM |
AC_K8S_0034 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | Logging and Monitoring | MEDIUM |
AC_K8S_0043 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | Data Protection | MEDIUM |
AC_K8S_0048 | Ensure default routes are set for Istio services | Kubernetes | Security Best Practices | LOW |
AC_K8S_0056 | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0059 | Ensure that the --client-cert-auth argument is set to true | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0061 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0064 | Apply Security Context to Your Pods and Containers | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0068 | Ensure image tag is set in Kubernetes workload configuration | Kubernetes | Security Best Practices | LOW |
AC_K8S_0069 | Ensure that every container image has a hash digest in all Kubernetes workloads | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0070 | Ensure liveness probe is configured for containers in all Kubernetes workloads | Kubernetes | Security Best Practices | LOW |
AC_K8S_0072 | Ensure readiness probe is configured for containers in all Kubernetes workloads | Kubernetes | Security Best Practices | LOW |
AC_K8S_0073 | Ensure AppArmor profile is not set to runtime/default in Kubernetes workload configuration | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0077 | Ensure 'procMount' is set to default in all Kubernetes workloads | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0079 | Ensure containers run with a high UID usually > 1000 to avoid host conflict | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0081 | Ensure only allowed volume types are mounted for all Kubernetes workloads | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0086 | The default namespace should not be used | Kubernetes | Security Best Practices | LOW |
AC_K8S_0087 | Minimize the admission of root containers | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0096 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0099 | Ensure Memory request is set for Kubernetes workloads | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0100 | Ensure Memory request is set for Kubernetes workloads | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0103 | Minimize access to create pods | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0112 | Ensure the use of externalIPs is restricted for Kubernetes service | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0114 | Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service | Kubernetes | Infrastructure Security | LOW |