AC_K8S_0101 | Minimize access to secrets | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0102 | Ensure impersonate access to Kubernetes resources is minimized in Kubernetes Role | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0103 | Minimize access to create pods | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0104 | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0105 | Ensure use of creating Kubernetes rolebindings and attaching Kubernetes roles is minimized in Kubernetes Role | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0106 | Ensure that the cluster-admin role is only used where required | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0107 | Ensure pod/attach create roles are minimized in Kubernetes cluster in Kubernetes Role | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0108 | Ensure Kubernetes rolebindings with get and patch Kubernetes roles are minimized in Kubernetes Role | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0109 | Ensure that the --secure-port argument is not set to 0 | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0110 | Ensure that the Tiller Service (Helm v2) is not deployed for Kubernetes service | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0111 | Ensure for exposing Kubernetes workload to the internet, NodePort service is not used | Kubernetes | Infrastructure Security | LOW |
AC_K8S_0112 | Ensure the use of externalIPs is restricted for Kubernetes service | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0113 | Ensure that default service accounts are not actively used. | Kubernetes | Identity and Access Management | MEDIUM |
AC_K8S_0114 | Ensure the use of selector is enforced for Kubernetes Ingress or LoadBalancer service | Kubernetes | Infrastructure Security | LOW |
AC_K8S_0115 | Ensure security context is applied to pods and containers with SELinux configured | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0116 | Ensure Kubernetes Network policy attached to a pod have Ingress/Egress blocks specified | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0117 | Ensure Kubernetes NetworkPolicy object is defined for every Kubernetes Namespace | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0118 | Ensure overly broad host configuration is not allowed for Istio Gateway | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0119 | Ensure protocols are explicitly declared where possible for Istio Services | Kubernetes | Security Best Practices | MEDIUM |
AC_K8S_0120 | Ensure large virtual services are split into multiple resources for Istio Virtual Services | Kubernetes | Security Best Practices | LOW |
AC_K8S_0121 | Ensure default-deny patterns are defined for Istio Authorization Policy | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0122 | Ensure DENY-with-negative-matching exist for Istio Authorization Object | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0123 | Ensure TLS verification is enabled in Istio Destination Rules | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0124 | Ensure envoy proxies are not configured in permissive mode in Istio Peer Authentication | Kubernetes | Infrastructure Security | MEDIUM |
AC_K8S_0125 | Ensure kernel level call configurations are not vulnerable to CVE-2022-0811 in all Kubernetes workloads | Kubernetes | Identity and Access Management | HIGH |
AC_K8S_0126 | Ensure Kubernetes hot-patch daemonset for Log4j2 is applied | Kubernetes | Configuration and Vulnerability Analysis | HIGH |
AC_K8S_0127 | Ensure metadata annotations are restricted in an Ingress object | Kubernetes | Infrastructure Security | HIGH |
AC_K8S_0128 | Minimize the admission of containers with added capabilities | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0129 | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0130 | Ensure that the --profiling argument is set to false | Kubernetes | Compliance Validation | MEDIUM |
AC_K8S_0131 | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | Compliance Validation | MEDIUM |