Kubernetes Rules
IaC rules for Kubernetes that identify insecure configurations in infrastructure and cloud resources.
Kubernetes Rule Catalog
| ID | Title | Severity |
|---|---|---|
IAC-1080 | Privileged containers are admitted | HIGH |
IAC-1094 | Container is privileged | HIGH |
IAC-1117 | CAP_SYS_ADMIN Linux capability is used | HIGH |
IAC-1192 | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | HIGH |
IAC-1193 | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | HIGH |
IAC-1194 | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | HIGH |
IAC-1196 | No ServiceAccount/Node should be able to read all secrets | HIGH |
IAC-1079 | Containers wishing to share host process ID namespace admitted | MEDIUM |
IAC-1081 | Containers wishing to share host IPC namespace admitted | MEDIUM |
IAC-1082 | Containers wishing to share host network namespace admitted | MEDIUM |
IAC-1083 | Containers run with AllowPrivilegeEscalation based on Pod Security Policy setting | MEDIUM |
IAC-1084 | Root containers admitted | MEDIUM |
IAC-1095 | Containers share host process ID namespace | MEDIUM |
IAC-1096 | Containers share host IPC namespace | MEDIUM |
IAC-1097 | Containers share the host network namespace | MEDIUM |
IAC-1098 | Containers run with AllowPrivilegeEscalation | MEDIUM |
IAC-1101 | Admission of root containers not minimized | MEDIUM |
IAC-1105 | Mounting Docker socket daemon in a container is not limited | MEDIUM |
IAC-1124 | Wildcard use is not minimized in Roles and ClusterRoles | MEDIUM |
IAC-1195 | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster | MEDIUM |
IAC-1085 | Containers with NET_RAW capability admitted | LOW |
IAC-1086 | Liveness probe is not configured | LOW |
IAC-1087 | Readiness probe is not configured | LOW |
IAC-1088 | CPU request is not set | LOW |
IAC-1090 | Memory requests are not set | LOW |
IAC-1091 | Memory limits are not set | LOW |
IAC-1092 | Image tag is not set to Fixed | LOW |
IAC-1093 | Image pull policy is not set to Always | LOW |
IAC-1099 | Default namespace is used | LOW |
IAC-1102 | Containers with added capability are allowed | LOW |
IAC-1103 | Admission of containers with added capability is not minimized | LOW |
IAC-1104 | hostPort is specified | LOW |
IAC-1106 | Admission of containers with NET_RAW capability is not minimized | LOW |
IAC-1107 | securityContext is not applied to pods and containers | LOW |
IAC-1109 | Seccomp is not set to Docker/Default or Runtime/Default | LOW |
IAC-1110 | seccomp profile is not set to Docker/Default or Runtime/Default | LOW |
IAC-1111 | Kubernetes dashboard is deployed | LOW |
IAC-1112 | Tiller (Helm V2) is deployed | LOW |
IAC-1113 | Secrets used as environment variables | LOW |
IAC-1115 | Admission of containers with capabilities assigned is not limited | LOW |
IAC-1116 | Service account tokens are not mounted where necessary | LOW |
IAC-1118 | Containers do not run with a high UID | LOW |
IAC-1119 | Default service accounts are actively used | LOW |
IAC-1120 | Default Kubernetes service accounts are actively used by bounding to a role or cluster role | LOW |
IAC-1122 | Tiller (Helm v2) service is not deleted | LOW |
IAC-1123 | Tiller (Helm V2) deployment is accessible from within the cluster | LOW |
IAC-1147 | The --audit-log-maxage argument is not set appropriately | LOW |
Total Rules: 47
Click on any rule ID to view detailed information, examples, and remediation guidance.