Cluster Overview: https://10.43.0.1:443

Smooth sailing within sight
Grade: C+
Score: 78%

Score is the percentage of passing checks. Warnings get half the weight of dangerous checks.

  • 1227 passing checks
  • 551 warning checks
  • 66 dangerous checks
Some checks were skipped based on configured exemptions. Click here to view the report with these checks included.
Kubernetes Version: 1.33
Nodes: 2
Namespaces: 14
Controllers: 42
Pods: 0

Results by Category

EfficiencyScore: 30%

Configuring resource requests and limits for workloads running in Kubernetes helps ensure that every container will have access to all the resources it needs. These are also a crucial part of cluster autoscaling logic, as new nodes are only spun up when there is insufficient capacity on existing infrastructure for new pod(s). By default, Polaris validates that resource requests and limits are set, it also includes optional functionality to ensure these requests and limits fall within specified ranges. Refer to the Polaris documentation about Efficiency for more information.

ReliabilityScore: 60%

Kubernetes is built to reliabily run highly available applications. Polaris includes a number of checks to ensure that you are maximizing the reliability potential of Kubernetes. Refer to the Polaris documentation about Reliability for more information.

SecurityScore: 81%

Kubernetes provides a great deal of configurability when it comes to the security of your workloads. A key principle here involves limiting the level of access any individual workload has. Polaris has validations for a number of best practices, mostly focused on ensuring that unnecessary access has not been granted to an application workload. Refer to the Polaris documentation about Security for more information.

Filter by Namespace

Cluster Resources

ClusterRole: admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-application-controller

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: argocd-applicationset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-server

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: bw-op-sm-operator-manager-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cainjector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cluster-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificates

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-challenges

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-issuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-orders

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cluster-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: clustercidrs-node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: fluent-bit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: goldilocks-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: goldilocks-dashboard

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx-admission

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: k3s-cloud-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: local-path-provisioner-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: metallb-system:controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: metallb-system:speaker

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: polaris

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-grafana-clusterrole

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-prometheus-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-prometheus-prometheus

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-state-metrics

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregated-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:auth-delegator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:basic-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:nodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kubelet-serving-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:legacy-unknown-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:attachdetach-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:certificate-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:cronjob-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:daemon-set-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:deployment-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:disruption-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpoint-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslice-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:expand-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:generic-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:job-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:namespace-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:node-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:persistent-volume-binder

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pod-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pv-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pvc-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replicaset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replication-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resourcequota-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:route-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:selinux-warning-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-account-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-cidrs-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:statefulset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:heapster

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:k3s-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-aggregator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-dns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kubelet-api-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:metrics-server

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:monitoring

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-bootstrapper

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-problem-detector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-proxier

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-provisioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:public-info-viewer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:service-account-issuer-discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:volume-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: traefik-cluster-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: traefik-kube-system

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-admission-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-checkpoint-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-evictioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-target-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRoleBinding: argocd-application-controller

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: argocd-applicationset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: argocd-server

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: bw-op-sm-operator-manager-rolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-cainjector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-controller-certificates

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-challenges

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-issuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-orders

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cluster-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: clustercidrs-node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: fluent-bit

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: goldilocks-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: goldilocks-dashboard

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: helm-kube-system-traefik

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: helm-kube-system-traefik-crd

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: ingress-nginx

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: ingress-nginx-admission

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: k3s-cloud-controller-manager

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: k3s-cloud-controller-manager-auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: kube-apiserver-kubelet-admin

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: local-path-provisioner-bind

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metallb-system:controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metallb-system:speaker

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metrics-server:system:auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris-view

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-grafana-clusterrolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-prometheus-operator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-prometheus-prometheus

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-state-metrics

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:basic-user

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:attachdetach-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:certificate-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:cronjob-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:daemon-set-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:deployment-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:disruption-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpoint-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslice-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:expand-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:generic-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:job-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:namespace-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:node-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:persistent-volume-binder

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pod-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pv-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pvc-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replicaset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replication-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:resourcequota-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:route-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:selinux-warning-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-account-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-cidrs-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:statefulset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:k3s-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-dns

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:kube-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:metrics-server

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:monitoring

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:public-info-viewer

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:service-account-issuer-discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:volume-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: traefik-cluster-rolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: traefik-kube-system

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-admission-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-checkpoint-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-metrics-reader

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-target-reader-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach

Namespace: argocd

ConfigMap: argocd-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-cmd-params-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-gpg-keys-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-notifications-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-rbac-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-ssh-known-hosts-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-tls-certs-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: argocd-applicationset-controller

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured

Container argocd-applicationset-controller:

  • CPU limits should be set
  • CPU requests should be set
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Image pull policy is "Always"
  • Not running as privileged
  • Host port is not configured
Deployment: argocd-dex-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container copyutil:

  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Image pull policy is "Always"

Container dex:

  • CPU limits should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
Deployment: argocd-notifications-controller

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container argocd-notifications-controller:

  • Memory requests should be set
  • CPU limits should be set
  • Memory limits should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Not running as privileged
  • Image pull policy is "Always"
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Privilege escalation not allowed
  • Image tag is specified
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Filesystem is read only
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
Deployment: argocd-redis

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container secret-init:

  • Image pull policy should be "Always"
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Privilege escalation not allowed

Container redis:

  • CPU requests should be set
  • Memory limits should be set
  • Liveness probe should be configured
  • CPU limits should be set
  • Memory requests should be set
  • Readiness probe should be configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: argocd-repo-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted
  • Host network is not configured

Container copyutil:

  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables

Container argocd-repo-server:

  • Memory requests should be set
  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Not running as privileged
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
Deployment: argocd-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid

Container argocd-server:

  • Memory limits should be set
  • Memory requests should be set
  • CPU limits should be set
  • CPU requests should be set
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
  • Image pull policy is "Always"
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
Ingress: argocd-server-ingress

Spec:

  • Ingress has TLS configured
NetworkPolicy: argocd-application-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-applicationset-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-dex-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-notifications-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-redis-network-policy

Spec: no checks applied

NetworkPolicy: argocd-repo-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-server-network-policy

Spec: no checks applied

Role: argocd-application-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-applicationset-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-dex-server

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-notifications-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-redis

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-server

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: argocd-application-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-applicationset-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-dex-server

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: argocd-notifications-controller

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: argocd-redis

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-server

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ServiceAccount: argocd-application-controller

Spec: no checks applied

ServiceAccount: argocd-applicationset-controller

Spec: no checks applied

ServiceAccount: argocd-dex-server

Spec: no checks applied

ServiceAccount: argocd-notifications-controller

Spec: no checks applied

ServiceAccount: argocd-redis

Spec: no checks applied

ServiceAccount: argocd-repo-server

Spec: no checks applied

ServiceAccount: argocd-server

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

StatefulSet: argocd-application-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container argocd-application-controller:

  • CPU requests should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • CPU limits should be set
  • Memory requests should be set
  • Is not allowed to run as root
  • Image tag is specified
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Image pull policy is "Always"
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured

Namespace: bitwarden

ConfigMap: bw-op-sm-operator-config-map

Spec:

  • Potentially sensitive content is detected in the ConfigMap keys or values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: bw-op-sm-operator-controller-manager

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container manager:

  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Is not allowed to run as root
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory limits are set
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Memory requests are set
  • CPU limits are set
  • Not running as privileged
Role: bw-op-sm-operator-leader-election-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: bw-op-sm-operator-leader-election-rolebinding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: bw-op-sm-operator-controller-manager

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: cert-manager

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cert-manager

Spec:

  • Only one replica is scheduled
  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container cert-manager-controller:

  • Image pull policy should be "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: cert-manager-cainjector

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container cert-manager-cainjector:

  • Image pull policy should be "Always"
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
Deployment: cert-manager-webhook

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container cert-manager-webhook:

  • Image pull policy should be "Always"
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
Role: cert-manager-tokenrequest

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager-webhook:dynamic-serving

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-tokenrequest

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: cert-manager-webhook:dynamic-serving

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
ServiceAccount: cert-manager

Spec: no checks applied

ServiceAccount: cert-manager-cainjector

Spec: no checks applied

ServiceAccount: cert-manager-webhook

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: database

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

StatefulSet: mysql

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container mysql:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Readiness probe should be configured
  • CPU requests should be set
  • Liveness probe should be configured
  • CPU limits should be set
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured

Namespace: default

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: development

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: myrelease-myapp-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: api-gateway

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container api-gateway:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory requests should be set
  • CPU requests should be set
  • Memory limits should be set
  • Readiness probe should be configured
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
Deployment: auth-service

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container auth-service:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • CPU limits should be set
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory limits should be set
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: frontend-service

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured

Container frontend-service:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • CPU limits should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • CPU requests should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
Deployment: hello-service

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • Privileged access to the host check is valid

Container hello-service:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Filesystem should be read only
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • CPU limits are set
  • CPU requests are set
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Memory limits are set
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Memory requests are set
Deployment: myrelease-myapp

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Multiple replicas are scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid
  • Host PID is not configured

Container myapp:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
Deployment: todo-service

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid

Container todo-service:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Liveness probe should be configured
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
HorizontalPodAutoscaler: hello-service

Spec:

  • HPA minReplicas should be 2 or more
  • HPA has a valid max and min replica configuration
Ingress: api-gateway-ingress

Spec:

  • Ingress has TLS configured
Ingress: frontend-ingress

Spec:

  • Ingress has TLS configured
Ingress: hello-ingress

Spec:

  • Ingress has TLS configured
Ingress: myrelease-myapp

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

Namespace: elastic

ConfigMap: fluent-bit-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: fluent-bit

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • HostPath volumes must be forbidden
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • Privileged access to the host check is valid

Container fluent-bit:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Memory limits should be set
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: elasticsearch

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container elasticsearch:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU limits should be set
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Liveness probe should be configured
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
Deployment: kibana

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid

Container kibana:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
Ingress: kibana-ingress

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

ServiceAccount: fluent-bit

Spec: no checks applied

Namespace: kube-node-lease

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: kube-public

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

Namespace: kube-system

ConfigMap: chart-content-traefik

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: chart-content-traefik-crd

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cluster-dns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: extension-apiserver-authentication

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-apiserver-legacy-service-account-token-tracking

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: local-path-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: svclb-traefik-8c4af31e

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Host PID is not configured
  • Privileged access to the host check is valid

Container lb-tcp-80:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have dangerous capabilities
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory requests should be set
  • CPU limits should be set
  • Host port should not be configured
  • Memory limits should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged

Container lb-tcp-443:

  • Should not be allowed to run as root
  • Container should not have dangerous capabilities
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Memory requests should be set
  • CPU limits should be set
  • CPU requests should be set
  • Liveness probe should be configured
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Host port should not be configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Deployment: coredns

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Pod has a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container coredns:

  • Should not be allowed to run as root
  • CPU limits should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Memory requests are set
  • Filesystem is read only
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Image tag is specified
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • CPU requests are set
  • Memory limits are set
Deployment: local-path-provisioner

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container local-path-provisioner:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory limits should be set
  • Readiness probe should be configured
  • CPU limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: metrics-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required

Container metrics-server:

  • CPU limits should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Readiness probe is configured
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory requests are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Image tag is specified
Deployment: traefik

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container traefik:

  • Memory limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
  • Image tag is specified
  • Filesystem is read only
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Readiness probe is configured
Job: helm-install-traefik-crd

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured

Container helm:

  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Host port is not configured
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Not running as privileged
  • Image tag is specified
Role: cert-manager-cainjector:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: extension-apiserver-authentication-reader

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-controller-manager

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-scheduler

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:cloud-provider

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:token-cleaner

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-cainjector:leaderelection

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: cert-manager:leaderelection

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: k3s-cloud-controller-manager-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: metrics-server-auth-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::extension-apiserver-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-controller-manager

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-scheduler

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:cloud-provider

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: system:controller:token-cleaner

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: attachdetach-controller

Spec: no checks applied

ServiceAccount: certificate-controller

Spec: no checks applied

ServiceAccount: clusterrole-aggregation-controller

Spec: no checks applied

ServiceAccount: coredns

Spec: no checks applied

ServiceAccount: cronjob-controller

Spec: no checks applied

ServiceAccount: daemon-set-controller

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: deployment-controller

Spec: no checks applied

ServiceAccount: disruption-controller

Spec: no checks applied

ServiceAccount: endpoint-controller

Spec: no checks applied

ServiceAccount: endpointslice-controller

Spec: no checks applied

ServiceAccount: endpointslicemirroring-controller

Spec: no checks applied

ServiceAccount: ephemeral-volume-controller

Spec: no checks applied

ServiceAccount: expand-controller

Spec: no checks applied

ServiceAccount: generic-garbage-collector

Spec: no checks applied

ServiceAccount: helm-traefik

Spec: no checks applied

ServiceAccount: helm-traefik-crd

Spec: no checks applied

ServiceAccount: horizontal-pod-autoscaler

Spec: no checks applied

ServiceAccount: job-controller

Spec: no checks applied

ServiceAccount: legacy-service-account-token-cleaner

Spec: no checks applied

ServiceAccount: local-path-provisioner-service-account

Spec: no checks applied

ServiceAccount: metrics-server

Spec: no checks applied

ServiceAccount: namespace-controller

Spec: no checks applied

ServiceAccount: node-controller

Spec: no checks applied

ServiceAccount: persistent-volume-binder

Spec: no checks applied

ServiceAccount: pod-garbage-collector

Spec: no checks applied

ServiceAccount: pv-protection-controller

Spec: no checks applied

ServiceAccount: pvc-protection-controller

Spec: no checks applied

ServiceAccount: replicaset-controller

Spec: no checks applied

ServiceAccount: replication-controller

Spec: no checks applied

ServiceAccount: resourcequota-controller

Spec: no checks applied

ServiceAccount: root-ca-cert-publisher

Spec: no checks applied

ServiceAccount: service-account-controller

Spec: no checks applied

ServiceAccount: service-cidrs-controller

Spec: no checks applied

ServiceAccount: statefulset-controller

Spec: no checks applied

ServiceAccount: svclb

Spec: no checks applied

ServiceAccount: token-cleaner

Spec: no checks applied

ServiceAccount: traefik

Spec: no checks applied

ServiceAccount: ttl-after-finished-controller

Spec: no checks applied

ServiceAccount: ttl-controller

Spec: no checks applied

ServiceAccount: validatingadmissionpolicy-status-controller

Spec: no checks applied

Namespace: monitoring

Alertmanager: prometheus-kube-prometheus-alertmanager

Spec: no checks applied

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-grafana

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-grafana-config-dashboards

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-alertmanager-overview

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-apiserver

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-cluster-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-controller-manager

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-etcd

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-grafana-datasource

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-grafana-overview

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-cluster

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-multicluster

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-namespace

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-node

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-pod

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-workload

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-workloads-namespace

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-kubelet

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-namespace-by-pod

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-namespace-by-workload

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-node-cluster-rsrc-use

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-node-rsrc-use

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes-aix

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes-darwin

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-persistentvolumesusage

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-pod-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-prometheus

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-proxy

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-scheduler

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-workload-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-prometheus-kube-prometheus-prometheus-rulefiles-0

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: prometheus-prometheus-node-exporter

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • Host PID should not be configured
  • Pod should be configured with a valid topology spread constraint
  • HostPath volumes must be forbidden
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted

Container node-exporter:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image tag is specified
  • Filesystem is read only
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
Deployment: goldilocks-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid

Container goldilocks:

  • Liveness probe should be configured
  • Memory limits should be set
  • CPU limits should be set
  • Readiness probe should be configured
  • Image pull policy is "Always"
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Memory requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
Deployment: goldilocks-dashboard

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • Multiple replicas are scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured

Container goldilocks:

  • Memory limits should be set
  • CPU limits should be set
  • Liveness probe is configured
  • Image tag is specified
  • Is not allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Memory requests are set
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image pull policy is "Always"
  • Readiness probe is configured
Deployment: goldilocks-vpa-admission-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container vpa:

  • CPU limits should be set
  • Memory limits should be set
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Readiness probe is configured
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Image pull policy is "Always"
  • Host port is not configured
  • Memory requests are set
  • Privilege escalation not allowed
Deployment: goldilocks-vpa-recommender

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container vpa:

  • CPU limits should be set
  • Memory limits should be set
  • Readiness probe is configured
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
Deployment: polaris-dashboard

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Multiple replicas are scheduled
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Pod has a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container dashboard:

  • CPU limits should be set
  • Memory limits should be set
  • Container does not have any insecure capabilities
  • Memory requests are set
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
Deployment: prometheus-grafana

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured

Container init-chown-data:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Image tag is specified
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container grafana-sc-dashboard:

  • Image pull policy should be "Always"
  • Memory limits should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • CPU limits should be set
  • Liveness probe should be configured
  • Filesystem should be read only
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Host port is not configured
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities

Container grafana-sc-datasources:

  • CPU limits should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Memory requests should be set
  • Readiness probe should be configured
  • Image pull policy should be "Always"
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities

Container grafana:

  • Filesystem should be read only
  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
Deployment: prometheus-kube-prometheus-operator

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured

Container kube-prometheus-stack:

  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Memory limits should be set
  • Host port is not configured
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Readiness probe is configured
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Image tag is specified
Deployment: prometheus-kube-state-metrics

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured

Container kube-state-metrics:

  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory limits should be set
  • Memory requests should be set
  • CPU limits should be set
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Privilege escalation not allowed
  • Readiness probe is configured
Ingress: alertmanager-ingress

Spec:

  • Ingress has TLS configured
Ingress: goldilocks-ingress

Spec:

  • Ingress has TLS configured
Ingress: grafana-ingress

Spec:

  • Ingress has TLS configured
Ingress: polaris-ingress

Spec:

  • Ingress has TLS configured
Ingress: prometheus-ingress

Spec:

  • Ingress has TLS configured
PodDisruptionBudget: polaris-dashboard

Spec:

  • Voluntary evictions are possible
Prometheus: prometheus-kube-prometheus-prometheus

Spec: no checks applied

Role: prometheus-grafana

Spec:

  • The Role allows Pods/exec or pods/attach
Role: traefik-monitoring-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: prometheus-grafana

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: traefik-monitoring-binding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: goldilocks-controller

Spec: no checks applied

ServiceAccount: goldilocks-dashboard

Spec: no checks applied

ServiceAccount: goldilocks-vpa-admission-controller

Spec: no checks applied

ServiceAccount: goldilocks-vpa-recommender

Spec: no checks applied

ServiceAccount: polaris

Spec: no checks applied

ServiceAccount: prometheus-grafana

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-alertmanager

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-operator

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-prometheus

Spec: no checks applied

ServiceAccount: prometheus-kube-state-metrics

Spec: no checks applied

ServiceAccount: prometheus-prometheus-node-exporter

Spec: no checks applied

Namespace: openfaas

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: gateway

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container gateway:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • The container sets potentially sensitive environment variables
  • Filesystem should be read only
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • CPU limits should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • CPU requests are set
  • Memory requests are set
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged

Container faas-netes:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • The container sets potentially sensitive environment variables
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Readiness probe should be configured
  • Memory limits should be set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory requests are set
  • Image tag is specified
  • Not running as privileged
  • Liveness probe is configured
Deployment: nats

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container nats:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Liveness probe should be configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • CPU requests are set
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
Deployment: queue-worker

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid

Container queue-worker:

  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Readiness probe should be configured
  • CPU limits should be set
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Not running as privileged
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Image tag is specified
  • Memory requests are set
Ingress: openfaas-ingress

Spec:

  • Ingress has TLS configured
Role: openfaas-profiles

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: openfaas-profiles

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: openfaas-controller

Spec: no checks applied

Namespace: openfaas-fn

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: my-node-fn

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container my-node-fn:

  • Should not be allowed to run as root
  • Image tag should be specified
  • Privilege escalation should not be allowed
  • CPU limits should be set
  • Filesystem should be read only
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Memory limits should be set
  • Readiness probe is configured
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Image pull policy is "Always"
  • Not running as privileged
  • Container does not have any dangerous capabilities
Role: openfaas-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: openfaas-controller

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ServiceAccount: default

Spec: no checks applied

Namespace: tracing

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: otel-collector-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: jaeger

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container jaeger:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Memory requests should be set
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Readiness probe should be configured
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Host port is not configured
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
Deployment: otel-collector

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Privileged access to the host check is valid

Container otel-collector:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU limits should be set
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Ingress: jaeger-ingress

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied