Cluster Overview: https://10.43.0.1:443

Smooth sailing within sight
Grade: C+
Score: 78%

Score is the percentage of passing checks. Warnings get half the weight of dangerous checks.

  • 1443 passing checks
  • 671 warning checks
  • 70 dangerous checks
Kubernetes Version: 1.33
Nodes: 2
Namespaces: 16
Controllers: 50
Pods: 0

Results by Category

EfficiencyScore: 26%

Configuring resource requests and limits for workloads running in Kubernetes helps ensure that every container will have access to all the resources it needs. These are also a crucial part of cluster autoscaling logic, as new nodes are only spun up when there is insufficient capacity on existing infrastructure for new pod(s). By default, Polaris validates that resource requests and limits are set, it also includes optional functionality to ensure these requests and limits fall within specified ranges. Refer to the Polaris documentation about Efficiency for more information.

ReliabilityScore: 62%

Kubernetes is built to reliabily run highly available applications. Polaris includes a number of checks to ensure that you are maximizing the reliability potential of Kubernetes. Refer to the Polaris documentation about Reliability for more information.

SecurityScore: 83%

Kubernetes provides a great deal of configurability when it comes to the security of your workloads. A key principle here involves limiting the level of access any individual workload has. Polaris has validations for a number of best practices, mostly focused on ensuring that unnecessary access has not been granted to an application workload. Refer to the Polaris documentation about Security for more information.

Filter by Namespace

Cluster Resources

ClusterRole: admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: aggregate-config-audit-reports-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: aggregate-exposed-secret-reports-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: aggregate-vulnerability-reports-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-application-controller

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: argocd-applicationset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-server

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: bw-op-sm-operator-manager-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cainjector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cluster-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificates

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-challenges

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-issuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-orders

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cluster-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: clustercidrs-node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: fluent-bit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: goldilocks-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: goldilocks-dashboard

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx-admission

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: k3s-cloud-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: local-path-provisioner-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: metallb-system:controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: metallb-system:speaker

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: polaris

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-grafana-clusterrole

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-prometheus-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-prometheus-prometheus

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: prometheus-kube-state-metrics

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregated-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:auth-delegator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:basic-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:nodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kubelet-serving-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:legacy-unknown-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:attachdetach-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:certificate-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:cronjob-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:daemon-set-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:deployment-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:disruption-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpoint-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslice-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:expand-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:generic-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:job-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:namespace-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:node-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:persistent-volume-binder

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pod-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pv-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pvc-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replicaset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replication-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resourcequota-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:route-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:selinux-warning-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-account-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-cidrs-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:statefulset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:heapster

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:k3s-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-aggregator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-dns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kubelet-api-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:metrics-server

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:monitoring

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-bootstrapper

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-problem-detector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-proxier

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-provisioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:public-info-viewer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:service-account-issuer-discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:volume-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: traefik-cluster-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: traefik-kube-system

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: trivy-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-admission-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-checkpoint-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-evictioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-target-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRoleBinding: argocd-application-controller

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: argocd-applicationset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: argocd-server

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: bw-op-sm-operator-manager-rolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-cainjector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificates

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-controller-challenges

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-issuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-orders

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cluster-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: clustercidrs-node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: fluent-bit

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: goldilocks-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: goldilocks-dashboard

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: helm-kube-system-traefik

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: helm-kube-system-traefik-crd

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: ingress-nginx

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: ingress-nginx-admission

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: k3s-cloud-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: k3s-cloud-controller-manager-auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: kube-apiserver-kubelet-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: local-path-provisioner-bind

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metallb-system:controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metallb-system:speaker

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metrics-server:system:auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris-view

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-grafana-clusterrolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-prometheus-operator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-prometheus-prometheus

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: prometheus-kube-state-metrics

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:basic-user

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:attachdetach-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:certificate-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:cronjob-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:daemon-set-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:deployment-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:disruption-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpoint-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslice-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:expand-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:generic-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:job-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:namespace-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:node-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:persistent-volume-binder

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pod-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:pv-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pvc-protection-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:replicaset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replication-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:resourcequota-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:route-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:selinux-warning-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-account-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-cidrs-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:statefulset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:ttl-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:discovery

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:k3s-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-dns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:metrics-server

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:monitoring

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:public-info-viewer

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:service-account-issuer-discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:volume-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: traefik-cluster-rolebinding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: traefik-kube-system

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: trivy-operator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-actor

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: vpa-admission-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-checkpoint-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-metrics-reader

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-actor

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: vpa-target-reader-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach

Namespace: argocd

ConfigMap: argocd-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-cmd-params-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-gpg-keys-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-notifications-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-rbac-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-ssh-known-hosts-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-tls-certs-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: argocd-applicationset-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid

Container argocd-applicationset-controller:

  • Liveness probe should be configured
  • Readiness probe should be configured
  • Memory requests should be set
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Host port is not configured
  • Filesystem is read only
  • Image tag is specified
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
Deployment: argocd-dex-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container copyutil:

  • Filesystem is read only
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities

Container dex:

  • Liveness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU limits should be set
  • CPU requests should be set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • Image tag is specified
  • Privilege escalation not allowed
  • Not running as privileged
  • Filesystem is read only
  • Image pull policy is "Always"
Deployment: argocd-notifications-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container argocd-notifications-controller:

  • Memory limits should be set
  • CPU requests should be set
  • Readiness probe should be configured
  • CPU limits should be set
  • Memory requests should be set
  • Host port is not configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: argocd-redis

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container secret-init:

  • Image pull policy should be "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Filesystem is read only

Container redis:

  • CPU limits should be set
  • CPU requests should be set
  • Liveness probe should be configured
  • Readiness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • Image pull policy is "Always"
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Host port is not configured
  • Filesystem is read only
Deployment: argocd-repo-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • The ServiceAccount will not be automounted
  • Host network is not configured

Container copyutil:

  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root

Container argocd-repo-server:

  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Memory requests should be set
  • Container does not have any insecure capabilities
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • Not running as privileged
  • Filesystem is read only
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Is not allowed to run as root
Deployment: argocd-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Priority class should be set
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured

Container argocd-server:

  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Memory requests should be set
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Image pull policy is "Always"
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Filesystem is read only
  • Readiness probe is configured
Ingress: argocd-server-ingress

Spec:

  • Ingress has TLS configured
NetworkPolicy: argocd-application-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-applicationset-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-dex-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-notifications-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-redis-network-policy

Spec: no checks applied

NetworkPolicy: argocd-repo-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-server-network-policy

Spec: no checks applied

Role: argocd-application-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-applicationset-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-dex-server

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-notifications-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-redis

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-server

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: argocd-application-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-applicationset-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-dex-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-notifications-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-redis

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: argocd-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: argocd-application-controller

Spec: no checks applied

ServiceAccount: argocd-applicationset-controller

Spec: no checks applied

ServiceAccount: argocd-dex-server

Spec: no checks applied

ServiceAccount: argocd-notifications-controller

Spec: no checks applied

ServiceAccount: argocd-redis

Spec: no checks applied

ServiceAccount: argocd-repo-server

Spec: no checks applied

ServiceAccount: argocd-server

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

StatefulSet: argocd-application-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-application-controller:

  • Memory limits should be set
  • CPU requests should be set
  • CPU limits should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Image pull policy is "Always"

Namespace: bitwarden

ConfigMap: bw-op-sm-operator-config-map

Spec:

  • Potentially sensitive content is detected in the ConfigMap keys or values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: bw-op-sm-operator-controller-manager

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container manager:

  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Liveness probe is configured
  • Not running as privileged
  • Memory limits are set
  • Memory requests are set
  • Image tag is specified
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • CPU limits are set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
Role: bw-op-sm-operator-leader-election-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: bw-op-sm-operator-leader-election-rolebinding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: bw-op-sm-operator-controller-manager

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: cert-manager

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cert-manager

Spec:

  • Only one replica is scheduled
  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host PID is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container cert-manager-controller:

  • CPU limits should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Not running as privileged
  • Image tag is specified
  • Is not allowed to run as root
  • Liveness probe is configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Host port is not configured
Deployment: cert-manager-cainjector

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured

Container cert-manager-cainjector:

  • Memory limits should be set
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU limits should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • Filesystem is read only
  • Not running as privileged
  • Image tag is specified
Deployment: cert-manager-webhook

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured

Container cert-manager-webhook:

  • Memory limits should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
  • Is not allowed to run as root
  • Liveness probe is configured
  • Privilege escalation not allowed
Role: cert-manager-tokenrequest

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager-webhook:dynamic-serving

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-tokenrequest

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: cert-manager-webhook:dynamic-serving

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: cert-manager

Spec: no checks applied

ServiceAccount: cert-manager-cainjector

Spec: no checks applied

ServiceAccount: cert-manager-webhook

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: database

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

StatefulSet: mysql

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container mysql:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory requests should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory limits should be set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any dangerous capabilities
  • Image tag is specified

Namespace: default

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: development

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: myrelease-myapp-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: api-gateway

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • HostPath volumes are not configured
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container api-gateway:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Filesystem should be read only
  • Liveness probe should be configured
  • Memory requests should be set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Image tag is specified
Deployment: auth-service

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured

Container auth-service:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU requests should be set
  • CPU limits should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: frontend-service

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured

Container frontend-service:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU limits should be set
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory limits should be set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
Deployment: hello-service

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured

Container hello-service:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests are set
  • Memory limits are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Memory requests are set
  • CPU limits are set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
Deployment: myrelease-myapp

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured
  • Multiple replicas are scheduled

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured

Container myapp:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU limits should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: todo-service

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container todo-service:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Readiness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
HorizontalPodAutoscaler: hello-service

Spec:

  • HPA minReplicas should be 2 or more
  • HPA has a valid max and min replica configuration
Ingress: api-gateway-ingress

Spec:

  • Ingress has TLS configured
Ingress: frontend-ingress

Spec:

  • Ingress has TLS configured
Ingress: hello-ingress

Spec:

  • Ingress has TLS configured
Ingress: myrelease-myapp

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

Namespace: elastic

ConfigMap: fluent-bit-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: fluent-bit

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • HostPath volumes must be forbidden
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Host PID is not configured

Container fluent-bit:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • CPU limits should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Memory requests should be set
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
Deployment: elasticsearch

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Privileged access to the host check is valid

Container elasticsearch:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Memory limits should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Liveness probe should be configured
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: kibana

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid
  • Host IPC is not configured

Container kibana:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • Filesystem should be read only
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
Ingress: kibana-ingress

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

ServiceAccount: fluent-bit

Spec: no checks applied

Namespace: harbor

ConfigMap: harbor-core

Spec:

  • Potentially sensitive content is detected in the ConfigMap keys or values
ConfigMap: harbor-jobservice

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: harbor-jobservice-env

Spec:

  • Potentially sensitive content is detected in the ConfigMap keys or values
ConfigMap: harbor-portal

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: harbor-registry

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: harbor-registryctl

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: harbor-core

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Privileged access to the host check is valid

Container core:

  • CPU limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
Deployment: harbor-jobservice

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container jobservice:

  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Readiness probe is configured
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: harbor-portal

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container portal:

  • CPU limits should be set
  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
Deployment: harbor-registry

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured

Container registry:

  • Memory requests should be set
  • Image pull policy should be "Always"
  • Memory limits should be set
  • CPU requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Readiness probe is configured
  • Privilege escalation not allowed
  • Image tag is specified
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container registryctl:

  • Filesystem should be read only
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
Ingress: harbor-ingress

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

StatefulSet: harbor-database

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container data-permissions-ensurer:

  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Host port is not configured
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables

Container database:

  • Memory requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
StatefulSet: harbor-redis

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured

Container redis:

  • CPU requests should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • CPU limits should be set
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Is not allowed to run as root
  • Host port is not configured
  • Image tag is specified
StatefulSet: harbor-trivy

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured

Container trivy:

  • Image pull policy should be "Always"
  • Filesystem should be read only
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Not running as privileged
  • Is not allowed to run as root
  • Privilege escalation not allowed
  • Readiness probe is configured
  • CPU limits are set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Memory limits are set
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified

Namespace: kube-node-lease

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: kube-public

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
ServiceAccount: default

Spec: no checks applied

Namespace: kube-system

ConfigMap: chart-content-traefik

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: chart-content-traefik-crd

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cluster-dns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: extension-apiserver-authentication

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-apiserver-legacy-service-account-token-tracking

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: local-path-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: svclb-traefik-8c4af31e

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • The ServiceAccount will not be automounted
  • HostPath volumes are not configured
  • Priority class has been set

Container lb-tcp-80:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • CPU limits should be set
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Host port should not be configured
  • Container should not have insecure capabilities
  • Memory limits should be set
  • Image tag is specified
  • Not running as privileged
  • The container does not set potentially sensitive environment variables

Container lb-tcp-443:

  • Container should not have dangerous capabilities
  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Host port should not be configured
  • Liveness probe should be configured
  • Memory limits should be set
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Filesystem should be read only
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Deployment: coredns

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Pod has a valid topology spread constraint

Container coredns:

  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Memory limits are set
  • Filesystem is read only
  • Memory requests are set
  • Readiness probe is configured
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Privilege escalation not allowed
Deployment: local-path-provisioner

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Priority class has been set
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container local-path-provisioner:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Filesystem should be read only
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Memory limits should be set
  • Memory requests should be set
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Image tag is specified
Deployment: metrics-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set

Container metrics-server:

  • CPU limits should be set
  • Image pull policy should be "Always"
  • Memory limits should be set
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • CPU requests are set
  • Host port is not configured
  • Privilege escalation not allowed
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Not running as privileged
  • Is not allowed to run as root
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Memory requests are set
Deployment: traefik

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • HostPath volumes are not configured
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container traefik:

  • Memory limits should be set
  • Memory requests should be set
  • CPU limits should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Filesystem is read only
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Is not allowed to run as root
  • Image tag is specified
Job: helm-install-traefik-crd

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container helm:

  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Host port is not configured
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Image tag is specified
Role: cert-manager-cainjector:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: extension-apiserver-authentication-reader

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-controller-manager

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-scheduler

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:cloud-provider

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:token-cleaner

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-cainjector:leaderelection

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: cert-manager:leaderelection

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: k3s-cloud-controller-manager-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: metrics-server-auth-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::extension-apiserver-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-controller-manager

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: system::leader-locking-kube-scheduler

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:cloud-provider

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:token-cleaner

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ServiceAccount: attachdetach-controller

Spec: no checks applied

ServiceAccount: certificate-controller

Spec: no checks applied

ServiceAccount: clusterrole-aggregation-controller

Spec: no checks applied

ServiceAccount: coredns

Spec: no checks applied

ServiceAccount: cronjob-controller

Spec: no checks applied

ServiceAccount: daemon-set-controller

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: deployment-controller

Spec: no checks applied

ServiceAccount: disruption-controller

Spec: no checks applied

ServiceAccount: endpoint-controller

Spec: no checks applied

ServiceAccount: endpointslice-controller

Spec: no checks applied

ServiceAccount: endpointslicemirroring-controller

Spec: no checks applied

ServiceAccount: ephemeral-volume-controller

Spec: no checks applied

ServiceAccount: expand-controller

Spec: no checks applied

ServiceAccount: generic-garbage-collector

Spec: no checks applied

ServiceAccount: helm-traefik

Spec: no checks applied

ServiceAccount: helm-traefik-crd

Spec: no checks applied

ServiceAccount: horizontal-pod-autoscaler

Spec: no checks applied

ServiceAccount: job-controller

Spec: no checks applied

ServiceAccount: legacy-service-account-token-cleaner

Spec: no checks applied

ServiceAccount: local-path-provisioner-service-account

Spec: no checks applied

ServiceAccount: metrics-server

Spec: no checks applied

ServiceAccount: namespace-controller

Spec: no checks applied

ServiceAccount: node-controller

Spec: no checks applied

ServiceAccount: persistent-volume-binder

Spec: no checks applied

ServiceAccount: pod-garbage-collector

Spec: no checks applied

ServiceAccount: pv-protection-controller

Spec: no checks applied

ServiceAccount: pvc-protection-controller

Spec: no checks applied

ServiceAccount: replicaset-controller

Spec: no checks applied

ServiceAccount: replication-controller

Spec: no checks applied

ServiceAccount: resourcequota-controller

Spec: no checks applied

ServiceAccount: root-ca-cert-publisher

Spec: no checks applied

ServiceAccount: service-account-controller

Spec: no checks applied

ServiceAccount: service-cidrs-controller

Spec: no checks applied

ServiceAccount: statefulset-controller

Spec: no checks applied

ServiceAccount: svclb

Spec: no checks applied

ServiceAccount: token-cleaner

Spec: no checks applied

ServiceAccount: traefik

Spec: no checks applied

ServiceAccount: ttl-after-finished-controller

Spec: no checks applied

ServiceAccount: ttl-controller

Spec: no checks applied

ServiceAccount: validatingadmissionpolicy-status-controller

Spec: no checks applied

Namespace: monitoring

Alertmanager: prometheus-kube-prometheus-alertmanager

Spec: no checks applied

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-grafana

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-grafana-config-dashboards

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-alertmanager-overview

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-apiserver

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-cluster-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-controller-manager

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-etcd

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-grafana-datasource

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-grafana-overview

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-cluster

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-multicluster

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-namespace

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-node

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-pod

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-workload

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-k8s-resources-workloads-namespace

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-kubelet

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-namespace-by-pod

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-namespace-by-workload

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-node-cluster-rsrc-use

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-node-rsrc-use

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes-aix

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-nodes-darwin

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-persistentvolumesusage

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-pod-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-prometheus

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-proxy

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-scheduler

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-kube-prometheus-workload-total

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: prometheus-prometheus-kube-prometheus-prometheus-rulefiles-0

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: prometheus-prometheus-node-exporter

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • Host PID should not be configured
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • HostPath volumes must be forbidden
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container node-exporter:

  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Filesystem is read only
  • Readiness probe is configured
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: goldilocks-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container goldilocks:

  • Memory limits should be set
  • Readiness probe should be configured
  • CPU limits should be set
  • Liveness probe should be configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Image pull policy is "Always"
  • CPU requests are set
  • Host port is not configured
  • Memory requests are set
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
Deployment: goldilocks-dashboard

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Multiple replicas are scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container goldilocks:

  • CPU limits should be set
  • Memory limits should be set
  • Liveness probe is configured
  • Memory requests are set
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Not running as privileged
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
Deployment: goldilocks-vpa-admission-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container vpa:

  • Memory limits should be set
  • CPU limits should be set
  • Host port is not configured
  • Filesystem is read only
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Readiness probe is configured
  • CPU requests are set
  • Liveness probe is configured
  • Not running as privileged
Deployment: goldilocks-vpa-recommender

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • HostPath volumes are not configured
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured

Container vpa:

  • CPU limits should be set
  • Memory limits should be set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Readiness probe is configured
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Image tag is specified
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Not running as privileged
  • Is not allowed to run as root
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
Deployment: polaris-dashboard

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Multiple replicas are scheduled
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Pod has a valid topology spread constraint
  • Host PID is not configured
  • Privileged access to the host check is valid

Container dashboard:

  • Memory limits should be set
  • CPU limits should be set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Privilege escalation not allowed
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Readiness probe is configured
  • Host port is not configured
  • Memory requests are set
  • Image pull policy is "Always"
  • Is not allowed to run as root
Deployment: prometheus-grafana

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured

Container init-chown-data:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities

Container grafana-sc-dashboard:

  • Readiness probe should be configured
  • Filesystem should be read only
  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Liveness probe should be configured
  • Memory limits should be set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Host port is not configured

Container grafana-sc-datasources:

  • Readiness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Liveness probe should be configured
  • Filesystem should be read only
  • CPU limits should be set
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged

Container grafana:

  • CPU requests should be set
  • Memory limits should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Liveness probe is configured
  • Readiness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Is not allowed to run as root
Deployment: prometheus-kube-prometheus-operator

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Priority class should be set
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Host network is not configured

Container kube-prometheus-stack:

  • Memory requests should be set
  • Image pull policy should be "Always"
  • Memory limits should be set
  • CPU requests should be set
  • CPU limits should be set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • Image tag is specified
  • Is not allowed to run as root
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: prometheus-kube-state-metrics

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container kube-state-metrics:

  • Memory limits should be set
  • Memory requests should be set
  • CPU limits should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Filesystem is read only
Ingress: alertmanager-ingress

Spec:

  • Ingress has TLS configured
Ingress: goldilocks-ingress

Spec:

  • Ingress has TLS configured
Ingress: grafana-ingress

Spec:

  • Ingress has TLS configured
Ingress: polaris-ingress

Spec:

  • Ingress has TLS configured
Ingress: prometheus-ingress

Spec:

  • Ingress has TLS configured
PodDisruptionBudget: polaris-dashboard

Spec:

  • Voluntary evictions are possible
Prometheus: prometheus-kube-prometheus-prometheus

Spec: no checks applied

Role: prometheus-grafana

Spec:

  • The Role allows Pods/exec or pods/attach
Role: traefik-monitoring-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: prometheus-grafana

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: traefik-monitoring-binding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: goldilocks-controller

Spec: no checks applied

ServiceAccount: goldilocks-dashboard

Spec: no checks applied

ServiceAccount: goldilocks-vpa-admission-controller

Spec: no checks applied

ServiceAccount: goldilocks-vpa-recommender

Spec: no checks applied

ServiceAccount: polaris

Spec: no checks applied

ServiceAccount: prometheus-grafana

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-alertmanager

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-operator

Spec: no checks applied

ServiceAccount: prometheus-kube-prometheus-prometheus

Spec: no checks applied

ServiceAccount: prometheus-kube-state-metrics

Spec: no checks applied

ServiceAccount: prometheus-prometheus-node-exporter

Spec: no checks applied

Namespace: openfaas

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: gateway

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Privileged access to the host check is valid
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured

Container gateway:

  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • CPU limits should be set
  • Filesystem should be read only
  • Liveness probe is configured
  • Memory requests are set
  • Image tag is specified
  • CPU requests are set
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities

Container faas-netes:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • CPU limits should be set
  • Memory limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Not running as privileged
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory requests are set
  • Image tag is specified
  • Liveness probe is configured
Deployment: nats

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container nats:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU limits should be set
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory limits should be set
  • Readiness probe should be configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Memory requests are set
  • Image tag is specified
  • Host port is not configured
Deployment: queue-worker

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Privileged access to the host check is valid

Container queue-worker:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Memory limits should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Not running as privileged
  • Host port is not configured
  • Memory requests are set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Image tag is specified
Ingress: openfaas-ingress

Spec:

  • Ingress has TLS configured
Role: openfaas-profiles

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: openfaas-profiles

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ServiceAccount: default

Spec: no checks applied

ServiceAccount: openfaas-controller

Spec: no checks applied

Namespace: openfaas-fn

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: my-node-fn

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured

Container my-node-fn:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Image tag should be specified
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
Role: openfaas-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: openfaas-controller

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ServiceAccount: default

Spec: no checks applied

Namespace: tracing

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: otel-collector-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: jaeger

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid

Container jaeger:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory limits should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Liveness probe should be configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: otel-collector

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container otel-collector:

  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
Ingress: jaeger-ingress

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

Namespace: trivy-system

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: trivy-operator

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: trivy-operator-config

Spec:

  • Potentially sensitive content is detected in the ConfigMap keys or values
ConfigMap: trivy-operator-trivy-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: trivy-operator

Spec:

  • Only one replica is scheduled
  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container trivy-operator:

  • Should not be allowed to run as root
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Memory limits should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Liveness probe is configured
  • Filesystem is read only
  • Not running as privileged
  • Privilege escalation not allowed
  • Readiness probe is configured
Role: trivy-operator

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: trivy-operator-leader-election

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: trivy-operator

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: trivy-operator-leader-election

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: trivy-operator

Spec: no checks applied