Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ID Field for K8s Policies' Metadata #826

Merged
merged 2 commits into from
Jun 1, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "TLS disabled can affect the confidentiality of the data in transit",
"reference_id": "AC-K8-NS-IN-H-0020",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0002"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "No owner for namespace affects the operations",
"reference_id": "AC-K8-OE-NS-L-0128",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0013"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Containers Should Not Run with AllowPrivilegeEscalation",
"reference_id": "AC-K8-CA-PO-H-0165",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_K8S_0085"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure Kubernetes Dashboard Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0176",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_K8S_0067"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure That Tiller (Helm V2) Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0177",
"category": "Data Protection",
"version": 1
"version": 1,
"id": "AC_K8S_0071"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Minimize the admission of privileged containers",
"reference_id": "AC-K8-IA-PO-H-0106",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0046"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Allowing the pod to make system level calls provide access to host/node sensitive information",
"reference_id": "AC-K8-IA-PO-H-0137",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0074"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem",
"reference_id": "AC-K8-IA-PO-H-0138",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0076"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Minimize Admission of Root Containers",
"reference_id": "AC-K8-IA-PO-H-0168",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0087"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure that Service Account Tokens are only mounted where necessary",
"reference_id": "AC-K8-IA-PO-M-0105",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0045"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
"reference_id": "AC-K8-IA-PO-M-0135",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0073"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s",
"reference_id": "AC-K8-IA-PO-M-0139",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0077"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
"reference_id": "AC-K8-IA-PO-M-0140",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0078"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
"reference_id": "AC-K8-IA-PO-M-0141",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0080"
}
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@
"description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host",
"reference_id": "AC-K8-IA-PO-M-0143",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0081"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share Host Process ID Namespace",
"reference_id": "AC-K8-IA-PO-M-0162",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0082"
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@
"description": "Minimize the admission of containers with the NET_RAW capability",
"reference_id": "AC-K8-IA-PS-M-0112",
"category": "Identity and Access Management",
"version": 1
"version": 1,
"id": "AC_K8S_0048"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Prefer using secrets as files over secrets as environment variables",
"reference_id": "AC-K8-NS-PO-H-0117",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0051"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
"reference_id": "AC-K8-NS-PO-H-0170",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0075"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Apply Security Context to Your Pods and Containers",
"reference_id": "AC-K8-NS-PO-M-0122",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0064"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Image without digest affects the integrity principle of image security",
"reference_id": "AC-K8-NS-PO-M-0133",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0069"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share Host IPC Namespace",
"reference_id": "AC-K8-NS-PO-M-0163",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0083"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "Containers Should Not Share the Host Network Namespace",
"reference_id": "AC-K8-NS-PO-M-0164",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0084"
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,6 @@
"description": "Restrict Mounting Docker Socket in a Container",
"reference_id": "AC-K8-NS-PO-M-0171",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0088"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Containers Should Run as a High UID to Avoid Host Conflict",
"reference_id": "AC-K8-NS-PO-M-0182",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0079"
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@
"description": "AlwaysPullImages plugin is not set",
"reference_id": "AC-K8-OE-PK-M-0034",
"category": "Compliance Validation",
"version": 1
"version": 1,
"id": "AC_K8S_0021"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "CPU Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0155",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0097"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "CPU Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0156",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0098"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Memory Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0157",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0099"
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
"description": "Memory Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0158",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0100"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
"reference_id": "AC-K8-OE-PO-L-0129",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0070"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
"description": "No readiness probe will affect automatic recovery in case of unexpected errors",
"reference_id": "AC-K8-OE-PO-L-0130",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0072"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "No tag or container image with :Latest tag makes difficult to rollback and track",
"reference_id": "AC-K8-OE-PO-L-0134",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0068"
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
"prefix": "",
"suffix": ""
},
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Default Namespace Should Not be Used",
"reference_id": "AC-K8-OE-PO-M-0166",
"category": "Security Best Practices",
"version": 1
"version": 1,
"id": "AC_K8S_0086"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Ensure that the Tiller Service (Helm v2) is deleted",
"reference_id": "AC-K8-NS-SE-M-0185",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0110"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Restrict the use of externalIPs",
"reference_id": "AC-K8-NS-SE-M-0188",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0112"
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,6 @@
"description": "Nodeport service can expose the worker nodes as they have public interface",
"reference_id": "AC-K8-NS-SV-L-0132",
"category": "Infrastructure Security",
"version": 1
"version": 1,
"id": "AC_K8S_0111"
}