Cluster Overview: https://10.0.0.1:443

Smooth sailing within sight
Grade: C-
Score: 71%

Score is the percentage of passing checks. Warnings get half the weight of dangerous checks.

  • 1654 passing checks
  • 900 warning checks
  • 203 dangerous checks
Some checks were skipped based on configured exemptions. Click here to view the report with these checks included.
Kubernetes Version: 1.31
Nodes: 4
Namespaces: 34
Controllers: 100
Pods: 0

Results by Category

EfficiencyScore: 43%

Configuring resource requests and limits for workloads running in Kubernetes helps ensure that every container will have access to all the resources it needs. These are also a crucial part of cluster autoscaling logic, as new nodes are only spun up when there is insufficient capacity on existing infrastructure for new pod(s). By default, Polaris validates that resource requests and limits are set, it also includes optional functionality to ensure these requests and limits fall within specified ranges. Refer to the Polaris documentation about Efficiency for more information.

ReliabilityScore: 67%

Kubernetes is built to reliabily run highly available applications. Polaris includes a number of checks to ensure that you are maximizing the reliability potential of Kubernetes. Refer to the Polaris documentation about Reliability for more information.

SecurityScore: 68%

Kubernetes provides a great deal of configurability when it comes to the security of your workloads. A key principle here involves limiting the level of access any individual workload has. Polaris has validations for a number of best practices, mostly focused on ensuring that unnecessary access has not been granted to an application workload. Refer to the Polaris documentation about Security for more information.

Filter by Namespace

Cluster Resources

ClusterRole: acn-multitenancy-editor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: aks-service

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: appmonitoringconfig-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-application-controller

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: argocd-server

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: cert-manager-cainjector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cluster-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificates

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-challenges

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-issuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-orders

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cilium

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cilium-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cloud-node-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cluster-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: container-health-log-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: csi-azuredisk-node-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: csi-azurefile-node-secret-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: hydra-hydra-maester-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: pod-reader-all-namespaces

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: polaris

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: postgres-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: postgres-pod

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: redis-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: reloader-reloader-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:auth-delegator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:azure-cloud-provider

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:azure-cloud-provider-secret-getter

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:basic-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:nodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kubelet-serving-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:legacy-unknown-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:attachdetach-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:certificate-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:cronjob-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:daemon-set-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:deployment-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:disruption-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpoint-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslice-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:expand-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:generic-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:job-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:namespace-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:node-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:persistent-volume-binder

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pod-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pv-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pvc-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replicaset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replication-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resourcequota-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:route-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-account-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:statefulset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:heapster

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:konnectivity-agent-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-aggregator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-dns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kubelet-api-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:metrics-server

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:monitoring

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-bootstrapper

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-problem-detector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-proxier

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-provisioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-secret-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:prometheus

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:public-info-viewer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:service-account-issuer-discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:volume-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-admission-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-checkpoint-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-evictioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-target-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRoleBinding: acn-multitenancy-editor-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: aks-cluster-admin-binding

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: aks-cluster-admin-binding-aad

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: aks-service-rolebinding

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: appmonitoringconfig-user-global

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: argocd-application-controller

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: argocd-server

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: auto-approve-csrs-for-group

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: auto-approve-renewals-for-nodes

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-cainjector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-controller-certificates

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-challenges

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-controller-issuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-orders

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cilium

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cilium-operator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cloud-node-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cluster-admin

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: container-health-read-logs-global

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: create-csrs-for-bootstrapping

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: csi-azuredisk-node-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: csi-azurefile-node-secret-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: hydra-hydra-maester-role-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: ingress-nginx

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metrics-server:system:auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: pod-reader-all-namespaces-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris-view

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: postgres-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: redis-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: reloader-reloader-role-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:aks-client-node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:azure-cloud-provider

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:azure-cloud-provider-secret-getter

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:basic-user

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:attachdetach-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:certificate-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:cronjob-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:daemon-set-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:deployment-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:disruption-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpoint-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:endpointslice-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:expand-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:generic-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:job-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:namespace-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:node-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:persistent-volume-binder

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pod-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pv-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pvc-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replicaset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replication-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:resourcequota-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:route-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-account-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:statefulset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns-autoscaler

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:konnectivity-agent-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-dns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:metrics-server

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:monitoring

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:persistent-volume-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:prometheus

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:public-info-viewer

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:service-account-issuer-discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:volume-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-admission-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-checkpoint-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-evictionter-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-metrics-reader

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-reader-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-target-reader-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach

Namespace: adminconsole

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: mongodb-charts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: adminconsole-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Host port is not configured
  • Image tag is specified
  • Not running as privileged
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
Ingress: adminconsole-ui

Spec:

  • Ingress has TLS configured
ServiceAccount: adminconsole

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: aks-command

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: argocd

ConfigMap: argocd-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-cmd-params-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-gpg-keys-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-notifications-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-rbac-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-ssh-known-hosts-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-tls-certs-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: argocd-applicationset-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-applicationset-controller:

  • CPU requests should be set
  • Memory requests should be set
  • Liveness probe should be configured
  • Readiness probe should be configured
  • Host port is not configured
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
Deployment: argocd-dex-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container copyutil:

  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container dex:

  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Image tag is specified
Deployment: argocd-notifications-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container argocd-notifications-controller:

  • CPU requests should be set
  • Memory requests should be set
  • Readiness probe should be configured
  • Liveness probe is configured
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: argocd-redis

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • A NetworkPolicy matches pod labels and contains egress and ingress rules

Container redis:

  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Filesystem should be read only
  • CPU requests should be set
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Privilege escalation not allowed
Deployment: argocd-repo-server

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured

Container copyutil:

  • Image pull policy should be "Always"
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only

Container argocd-repo-server:

  • Memory requests should be set
  • CPU requests should be set
  • Filesystem is read only
  • Image pull policy is "Always"
  • Image tag is specified
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
Deployment: argocd-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-server:

  • CPU requests should be set
  • Memory requests should be set
  • Filesystem is read only
  • Container does not have any insecure capabilities
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Readiness probe is configured
Ingress: argocd-server-ingress

Spec:

  • Ingress has TLS configured
NetworkPolicy: argocd-application-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-applicationset-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-dex-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-notifications-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-redis-network-policy

Spec: no checks applied

NetworkPolicy: argocd-repo-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-server-network-policy

Spec: no checks applied

Role: argocd-application-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-applicationset-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-dex-server

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-notifications-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-server

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: argocd-application-controller

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: argocd-applicationset-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-dex-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-notifications-controller

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: argocd-redis

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: argocd-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: argocd-application-controller

Spec: no checks applied

ServiceAccount: argocd-applicationset-controller

Spec: no checks applied

ServiceAccount: argocd-dex-server

Spec: no checks applied

ServiceAccount: argocd-notifications-controller

Spec: no checks applied

ServiceAccount: argocd-redis

Spec: no checks applied

ServiceAccount: argocd-repo-server

Spec: no checks applied

ServiceAccount: argocd-server

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

StatefulSet: argocd-application-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-application-controller:

  • Liveness probe should be configured
  • Memory requests should be set
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Privilege escalation not allowed
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Not running as privileged

Namespace: azure-agent

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgov-test-agent

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgov-test-agent:

  • Privilege escalation should not be allowed
  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy is "Always"
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
ServiceAccount: default

Spec: no checks applied

Namespace: cert-manager

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cert-manager

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-controller:

  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Filesystem is read only
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Privilege escalation not allowed
  • Not running as privileged
Deployment: cert-manager-cainjector

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-cainjector:

  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Not running as privileged
  • Privilege escalation not allowed
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
Deployment: cert-manager-webhook

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-webhook:

  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Is not allowed to run as root
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Not running as privileged
Role: cert-manager-webhook:dynamic-serving

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-webhook:dynamic-serving

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: cert-manager

Spec: no checks applied

ServiceAccount: cert-manager-cainjector

Spec: no checks applied

ServiceAccount: cert-manager-webhook

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: cloudadmin

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-6aa184-admin-on-cloudadmin

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-6aa184

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: default

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-manager-scripts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dge

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovadmin

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovdocs

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovdocs-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • Image tag is specified
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Ingress: dotgovdocs-api

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-4aa615-admin-on-dotgovdocs

Spec:

  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-4aa615

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovdocs

Spec: no checks applied

Namespace: dotgovengine

ConfigMap: eservices-dgf-dotgovengine-api

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: eservices-dgf-dotgovengine-ui

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: eservices-dgf-dotgovengine-web

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-api

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-ui

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-web

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: eservices-dgf-dotgovengine-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-api:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Host port is not configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • Liveness probe is configured
  • Image tag is specified
Deployment: eservices-dgf-dotgovengine-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • The ServiceAccount will not be automounted

Container dotgovengine-ui:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Memory requests are set
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
Deployment: eservices-dgf-dotgovengine-web

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-web:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Memory requests are set
  • CPU requests are set
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
Deployment: intranet-dgf-dotgovengine-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-api:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Readiness probe should be configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Host port is not configured
  • Memory requests are set
  • Liveness probe is configured
  • Image tag is specified
Deployment: intranet-dgf-dotgovengine-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • The ServiceAccount will not be automounted
  • Host IPC is not configured

Container dotgovengine-ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • CPU requests are set
  • Host port is not configured
Deployment: intranet-dgf-dotgovengine-web

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-web:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • Not running as privileged
  • Image tag is specified
  • CPU requests are set
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
Ingress: eservices-dgf-dotgovengine-api

Spec:

  • Ingress has TLS configured
Ingress: eservices-dgf-dotgovengine-ui

Spec:

  • Ingress has TLS configured
Ingress: eservices-dgf-dotgovengine-web

Spec:

  • Ingress has TLS configured
Ingress: intranet-dgf-dotgovengine-api

Spec:

  • Ingress has TLS configured
Ingress: intranet-dgf-dotgovengine-ui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-05973c-admin-on-dotgovengine

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-05973c

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: eservices-dgf-dotgovengine

Spec: no checks applied

ServiceAccount: intranet-dgf-dotgovengine

Spec: no checks applied

Namespace: dotgovframework

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovframework-backofficeapi

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container workspace-webasm:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified

Container workspace-zims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Host port is not configured
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Image tag is specified

Container workspace-applibs:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged

Container backofficeapi:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • The container does not set potentially sensitive environment variables
  • Memory requests are set
  • Image tag is specified
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovframework-backofficeui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container backofficeui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • CPU requests are set
  • Host port is not configured
  • Memory requests are set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
Deployment: dotgovframework-frontofficeapi

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container workspace-webasm:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container workspace-zims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured

Container workspace-applibs:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Host port is not configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container frontofficeapi:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
  • Memory requests are set
Deployment: dotgovframework-frontofficeui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container frontofficeui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • CPU requests are set
  • Memory requests are set
Ingress: dotgovframework-backofficeapi

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-backofficeui

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-frontofficeapi

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-frontofficeui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-2b7fa7-admin-on-dotgovframework

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-2b7fa7

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovframework

Spec: no checks applied

Namespace: dotgovmobileid

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovnotify

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovnotify-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Host port is not configured
Deployment: dotgovnotify-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Liveness probe is configured
  • Not running as privileged
Deployment: dotgovnotify-firebase

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container firebase:

  • Privilege escalation should not be allowed
  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovnotify-jobservice

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container jobservice:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image tag should be specified
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Liveness probe is configured
Deployment: dotgovnotify-otp

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container otp:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Memory requests should be set
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovnotify-preferences

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container preferences:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
Deployment: dotgovnotify-sendgrid

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container sendgrid:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovnotify-telegram

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container telegram:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
Deployment: dotgovnotify-templates

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container templates:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Liveness probe is configured
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovnotify-twiliosms

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container twiliosms:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image tag should be specified
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Host port is not configured
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
Deployment: dotgovnotify-twiliowhatsapp

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container twiliowhatsapp:

  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovnotify-zamtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container zamtel:

  • Privilege escalation should not be allowed
  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
Ingress: dotgovnotify-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-otp

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-preferences

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-sendgrid

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-templates

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-9bc333-admin-on-dotgovnotify

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-9bc333

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovnotify

Spec: no checks applied

Namespace: dotgovpass

ConfigMap: hydra

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: hydra-migrate

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kratos-dotgovpasskratos-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kratos-dotgovpasskratos-migrate

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpass-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Image tag is specified
  • Liveness probe is configured
Deployment: dotgovpass-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovpass-claims

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container claims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpass-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
Deployment: hydra

Spec:

  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured
  • Label app.kubernetes.io/instance matches metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container hydra:

  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Liveness probe should be configured
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
Deployment: hydra-hydra-maester

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container hydra-maester:

  • Readiness probe should be configured
  • Liveness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Not running as privileged
Deployment: kratos-dotgovpasskratos

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovpasskratos:

  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Filesystem is read only
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
Ingress: dotgovpass-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-claims

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-ui

Spec:

  • Ingress has TLS configured
Ingress: hydra-admin

Spec:

  • Ingress has TLS configured
Ingress: hydra-public

Spec:

  • Ingress has TLS configured
Ingress: kratos-dotgovpasskratos-admin

Spec:

  • Ingress has TLS configured
Ingress: kratos-dotgovpasskratos-public

Spec:

  • Ingress has TLS configured
Job: hydra-automigrate

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container hydra-automigrate:

  • Memory requests should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
PodDisruptionBudget: postgres-dotgovpass-postgresql-pdb

Spec: no checks applied

Role: hydra-hydra-maester-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: azdev-rb-azdev-sa-5e1944-admin-on-dotgovpass

Spec:

  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: hydra-hydra-maester-role-binding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: postgres-pod

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-5e1944

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpass

Spec: no checks applied

ServiceAccount: hydra

Spec: no checks applied

ServiceAccount: hydra-cronjob-janitor

Spec: no checks applied

ServiceAccount: hydra-hydra-maester-account

Spec: no checks applied

ServiceAccount: hydra-job

Spec: no checks applied

ServiceAccount: kratos-dotgovpasskratos

Spec: no checks applied

ServiceAccount: kratos-dotgovpasskratos-job

Spec: no checks applied

ServiceAccount: postgres-pod

Spec: no checks applied

StatefulSet: dotgovpass-postgresql

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container postgres:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
StatefulSet: kratos-dotgovpasskratos-courier

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container kratos-dotgovpasskratos-courier:

  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Filesystem is read only
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Namespace: dotgovpay

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpay-absa

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container absa:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • Not running as privileged
Deployment: dotgovpay-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Deployment: dotgovpay-airtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container airtel:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: dotgovpay-callbackhandler

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container callbackhandler:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
Deployment: dotgovpay-ecobank

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ecobank:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Image tag is specified
  • Not running as privileged
  • Host port is not configured
  • Readiness probe is configured
Deployment: dotgovpay-ifmis

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container ifmis:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: dotgovpay-izb

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container izb:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • CPU requests should be set
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Deployment: dotgovpay-mtn

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container mtn:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • CPU requests should be set
  • Memory requests should be set
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
Deployment: dotgovpay-payments

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container payments:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
Deployment: dotgovpay-pdf

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container pdf:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Memory requests should be set
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Liveness probe is configured
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
Deployment: dotgovpay-reports

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container reports:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
Deployment: dotgovpay-stanbicbank

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container stanbicbank:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Host port is not configured
  • Not running as privileged
  • Liveness probe is configured
  • Image tag is specified
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
Deployment: dotgovpay-stanbicbankussd

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container stanbicbankussd:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Image tag is specified
  • Liveness probe is configured
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovpay-tengamobilewallet

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container tengamobilewallet:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Image tag is specified
Deployment: dotgovpay-transactionjunction

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container transactionjunction:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Memory requests should be set
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: dotgovpay-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • CPU requests should be set
  • Memory requests should be set
  • Should not be allowed to run as root
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Host port is not configured
  • Image tag is specified
Deployment: dotgovpay-zamtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container zamtel:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Filesystem should be read only
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Readiness probe is configured
Deployment: dotgovpay-zanaco

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container zanaco:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Ingress: cm-acme-http-solver-b59ss

Spec:

  • Ingress does not have TLS configured
Ingress: dotgovpay-absa

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-absa

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-airtel

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ecobank

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ifmis

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-izb

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-mtn

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-payments

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-pdf

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-reports

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-stanbicbank

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-stanbicbankussd

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-tengamobilewallet

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-transactionjunction

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ui

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-zamtel

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-zanaco

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpay

Spec: no checks applied

Namespace: dotgovpki

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpki-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container admin:

  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpki-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Memory requests should be set
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovpki-mobile

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container mobile:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: dotgovpki-systemsmanager

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container systemsmanager:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
Deployment: dotgovpki-systemsmanageradmin

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container systemsmanageradmin:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Not running as privileged
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
Ingress: dotgovpki-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-mobile

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-systemsmanager

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-systemsmanageradmin

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-ae2d84-admin-on-dotgovpki

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-ae2d84

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpki

Spec: no checks applied

Namespace: dotgovshortener

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovshortener-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
Ingress: dotgovshortener-api

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-929f4b-admin-on-dotgovshortener

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-929f4b

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovshortener

Spec: no checks applied

Namespace: dotgovsign

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovsign-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container api:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovsign-ui

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
Ingress: dotgovsign-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovsign-ui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-843310-admin-on-dotgovsign

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-843310

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovsign

Spec: no checks applied

Namespace: dotgovstyle

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-710e30-admin-on-dotgovstyle

Spec:

  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-710e30

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: ingress-nginx

ConfigMap: ingress-nginx-controller

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: ingress-nginx-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container controller:

  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Memory requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Readiness probe is configured
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Image tag is specified
  • CPU requests are set
Role: ingress-nginx

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: ingress-nginx

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: ingress-nginx

Spec: no checks applied

Namespace: kube-node-lease

ConfigMap: kube-root-ca.crt

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: kube-public

ConfigMap: aks-cluster-metadata

Spec: no checks applied

ConfigMap: kube-root-ca.crt

Spec: no checks applied

Role: system:controller:bootstrap-signer

Spec: no checks applied

RoleBinding: system:controller:bootstrap-signer

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: kube-system

ConfigMap: azure-ip-masq-agent-config-reconciled

Spec: no checks applied

ConfigMap: cilium-config

Spec: no checks applied

ConfigMap: cns-config

Spec: no checks applied

ConfigMap: cns-win-config

Spec: no checks applied

ConfigMap: coredns

Spec: no checks applied

ConfigMap: coredns-autoscaler

Spec: no checks applied

ConfigMap: coredns-custom

Spec: no checks applied

ConfigMap: extension-apiserver-authentication

Spec: no checks applied

ConfigMap: konnectivity-agent-autoscaler

Spec: no checks applied

ConfigMap: kube-apiserver-legacy-service-account-token-tracking

Spec: no checks applied

ConfigMap: kube-root-ca.crt

Spec: no checks applied

ConfigMap: overlay-upgrade-data

Spec: no checks applied

DaemonSet: azure-cns

Spec: no checks applied

Pod Spec: no checks applied

Container cni-installer: no checks applied

Container cns-container: no checks applied

DaemonSet: azure-cns-win

Spec: no checks applied

Pod Spec: no checks applied

Container cni-installer: no checks applied

Container cns-container: no checks applied

DaemonSet: azure-ip-masq-agent

Spec: no checks applied

Pod Spec: no checks applied

Container azure-ip-masq-agent: no checks applied

DaemonSet: cilium

Spec: no checks applied

Pod Spec: no checks applied

Container install-cni-binaries: no checks applied

Container mount-cgroup: no checks applied

Container apply-sysctl-overwrites: no checks applied

Container mount-bpf-fs: no checks applied

Container clean-cilium-state: no checks applied

Container block-wireserver: no checks applied

Container cilium-agent: no checks applied

DaemonSet: cloud-node-manager

Spec: no checks applied

Pod Spec: no checks applied

Container cloud-node-manager: no checks applied

DaemonSet: cloud-node-manager-windows

Spec: no checks applied

Pod Spec: no checks applied

Container cloud-node-manager: no checks applied

DaemonSet: csi-azuredisk-node

Spec: no checks applied

Pod Spec: no checks applied

Container liveness-probe: no checks applied

Container node-driver-registrar: no checks applied

Container azuredisk: no checks applied

DaemonSet: csi-azuredisk-node-win

Spec: no checks applied

Pod Spec: no checks applied

Container init: no checks applied

Container node-driver-registrar: no checks applied

Container azuredisk: no checks applied

DaemonSet: csi-azurefile-node

Spec: no checks applied

Pod Spec: no checks applied

Container liveness-probe: no checks applied

Container node-driver-registrar: no checks applied

Container azurefile: no checks applied

DaemonSet: csi-azurefile-node-win

Spec: no checks applied

Pod Spec: no checks applied

Container init: no checks applied

Container node-driver-registrar: no checks applied

Container azurefile: no checks applied

DaemonSet: windows-kube-proxy-initializer

Spec: no checks applied

Pod Spec: no checks applied

Container pause: no checks applied

Deployment: cilium-operator

Spec: no checks applied

Pod Spec: no checks applied

Container cilium-operator: no checks applied

Deployment: coredns

Spec: no checks applied

Pod Spec: no checks applied

Container coredns: no checks applied

Deployment: coredns-autoscaler

Spec: no checks applied

Pod Spec: no checks applied

Container autoscaler: no checks applied

Deployment: konnectivity-agent

Spec: no checks applied

Pod Spec: no checks applied

Container konnectivity-agent: no checks applied

Deployment: konnectivity-agent-autoscaler

Spec: no checks applied

Pod Spec: no checks applied

Container autoscaler: no checks applied

Deployment: metrics-server

Spec: no checks applied

Pod Spec: no checks applied

Container metrics-server-vpa: no checks applied

Container metrics-server: no checks applied

NetworkPolicy: konnectivity-agent

Spec: no checks applied

PodDisruptionBudget: coredns-pdb

Spec: no checks applied

PodDisruptionBudget: konnectivity-agent

Spec: no checks applied

PodDisruptionBudget: metrics-server-pdb

Spec: no checks applied

Role: cert-manager-cainjector:leaderelection

Spec: no checks applied

Role: cert-manager:leaderelection

Spec: no checks applied

Role: extension-apiserver-authentication-reader

Spec: no checks applied

Role: nodeNetConfigEditor

Spec: no checks applied

Role: system::leader-locking-kube-controller-manager

Spec: no checks applied

Role: system::leader-locking-kube-scheduler

Spec: no checks applied

Role: system:controller:bootstrap-signer

Spec: no checks applied

Role: system:controller:cloud-provider

Spec: no checks applied

Role: system:controller:token-cleaner

Spec: no checks applied

Role: system:metrics-server

Spec: no checks applied

RoleBinding: cert-manager-cainjector:leaderelection

Spec: no checks applied

RoleBinding: cert-manager:leaderelection

Spec: no checks applied

RoleBinding: metrics-server-auth-reader

Spec: no checks applied

RoleBinding: metrics-server-binding

Spec: no checks applied

RoleBinding: nodeNetConfigEditorRoleBinding

Spec: no checks applied

RoleBinding: system::extension-apiserver-authentication-reader

Spec: no checks applied

RoleBinding: system::leader-locking-kube-controller-manager

Spec: no checks applied

RoleBinding: system::leader-locking-kube-scheduler

Spec: no checks applied

RoleBinding: system:controller:bootstrap-signer

Spec: no checks applied

RoleBinding: system:controller:cloud-provider

Spec: no checks applied

RoleBinding: system:controller:token-cleaner

Spec: no checks applied

ServiceAccount: attachdetach-controller

Spec: no checks applied

ServiceAccount: azure-cns

Spec: no checks applied

ServiceAccount: bootstrap-signer

Spec: no checks applied

ServiceAccount: certificate-controller

Spec: no checks applied

ServiceAccount: cilium

Spec: no checks applied

ServiceAccount: cilium-operator

Spec: no checks applied

ServiceAccount: cloud-node-manager

Spec: no checks applied

ServiceAccount: clusterrole-aggregation-controller

Spec: no checks applied

ServiceAccount: coredns

Spec: no checks applied

ServiceAccount: coredns-autoscaler

Spec: no checks applied

ServiceAccount: cronjob-controller

Spec: no checks applied

ServiceAccount: csi-azuredisk-node-sa

Spec: no checks applied

ServiceAccount: csi-azurefile-node-sa

Spec: no checks applied

ServiceAccount: daemon-set-controller

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: deployment-controller

Spec: no checks applied

ServiceAccount: disruption-controller

Spec: no checks applied

ServiceAccount: endpoint-controller

Spec: no checks applied

ServiceAccount: endpointslice-controller

Spec: no checks applied

ServiceAccount: endpointslicemirroring-controller

Spec: no checks applied

ServiceAccount: ephemeral-volume-controller

Spec: no checks applied

ServiceAccount: expand-controller

Spec: no checks applied

ServiceAccount: generic-garbage-collector

Spec: no checks applied

ServiceAccount: horizontal-pod-autoscaler

Spec: no checks applied

ServiceAccount: job-controller

Spec: no checks applied

ServiceAccount: konnectivity-agent

Spec: no checks applied

ServiceAccount: konnectivity-agent-autoscaler

Spec: no checks applied

ServiceAccount: legacy-service-account-token-cleaner

Spec: no checks applied

ServiceAccount: metrics-server

Spec: no checks applied

ServiceAccount: namespace-controller

Spec: no checks applied

ServiceAccount: node-controller

Spec: no checks applied

ServiceAccount: persistent-volume-binder

Spec: no checks applied

ServiceAccount: pod-garbage-collector

Spec: no checks applied

ServiceAccount: pv-protection-controller

Spec: no checks applied

ServiceAccount: pvc-protection-controller

Spec: no checks applied

ServiceAccount: replicaset-controller

Spec: no checks applied

ServiceAccount: replication-controller

Spec: no checks applied

ServiceAccount: resourcequota-controller

Spec: no checks applied

ServiceAccount: root-ca-cert-publisher

Spec: no checks applied

ServiceAccount: service-account-controller

Spec: no checks applied

ServiceAccount: statefulset-controller

Spec: no checks applied

ServiceAccount: token-cleaner

Spec: no checks applied

ServiceAccount: ttl-after-finished-controller

Spec: no checks applied

ServiceAccount: ttl-controller

Spec: no checks applied

ServiceAccount: validatingadmissionpolicy-status-controller

Spec: no checks applied

Namespace: kuma-uptime

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-manager-scripts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-argocd-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-argocd-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-cloudadmin-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-default-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-default-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovdocs-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovdocs-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovengine-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovengine-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovframework-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovnotify-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovnotify-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpass-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpass-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpay-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpay-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpki-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpki-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovshortener-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovshortener-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovsign-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovsign-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-echo-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ecouncil-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-opensearch-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-polaris-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-polaris-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamlog-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: kuma-uptime

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container kuma-uptime:

  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Not running as privileged

Container kuma-manager:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Image tag is specified
  • Host port is not configured
  • CPU requests are set
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
Ingress: kuma-uptime

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

Namespace: playwright

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-836f16-admin-on-playwright

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-836f16

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: polaris

ConfigMap: kube-root-ca.crt

Spec: no checks applied

ConfigMap: polaris

Spec: no checks applied

Deployment: polaris-dashboard

Spec: no checks applied

Pod Spec: no checks applied

Container dashboard: no checks applied

Ingress: polaris

Spec: no checks applied

PodDisruptionBudget: polaris-dashboard

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: polaris

Spec: no checks applied

Namespace: postgres-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: postgres-operator

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container postgres-operator:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe is configured
  • Image tag is specified
  • CPU requests are set
  • Memory requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Filesystem is read only
  • Not running as privileged
  • Is not allowed to run as root
  • Privilege escalation not allowed
ServiceAccount: default

Spec: no checks applied

ServiceAccount: postgres-operator

Spec: no checks applied

Namespace: rabbitmq-ha

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: rabbitmq-ha-plugins-conf

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: rabbitmq-ha-server-conf

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RabbitmqCluster: rabbitmq-ha

Spec: no checks applied

Role: rabbitmq-ha-peer-discovery

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: rabbitmq-ha-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: rabbitmq-ha-server

Spec: no checks applied

Namespace: rabbitmq-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container rabbitmq-cluster-operator:

  • Image pull policy should be "Always"
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Not running as privileged
  • Memory requests are set
  • Readiness probe is configured
  • Image tag is specified
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Container does not have any insecure capabilities
  • Filesystem is read only
Deployment: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container rabbitmq-cluster-operator:

  • The container sets potentially sensitive environment variables
  • Image pull policy should be "Always"
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Readiness probe is configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Liveness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • CPU requests are set
NetworkPolicy: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

NetworkPolicy: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

PodDisruptionBudget: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

PodDisruptionBudget: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

Role: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

ServiceAccount: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

Namespace: redis-ha

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

StatefulSet: redis-ha

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container redis-ha:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Image tag is specified
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables

Namespace: redis-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: redis-operator

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container redis-operator:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Liveness probe is configured
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • Not running as privileged
  • CPU requests are set
ServiceAccount: default

Spec: no checks applied

ServiceAccount: redis-operator

Spec: no checks applied

Namespace: reloader

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: reloader-meta-info

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: reloader-reloader

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container reloader-reloader:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Memory requests are set
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • Is not allowed to run as root
Role: reloader-reloader-metadata-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: reloader-reloader-metadata-role-binding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: reloader-reloader

Spec: no checks applied

Namespace: vpa

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: vpa-admission-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container vpa:

  • Liveness probe is configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
  • Image tag is specified
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Readiness probe is configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Not running as privileged
  • CPU requests are set
  • Container does not have any dangerous capabilities
Deployment: vpa-recommender

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container vpa:

  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Image pull policy is "Always"
  • Readiness probe is configured
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: vpa-updater

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container vpa:

  • Image pull policy is "Always"
  • Memory requests are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • CPU requests are set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
ServiceAccount: default

Spec: no checks applied

ServiceAccount: vpa-admission-controller

Spec: no checks applied

ServiceAccount: vpa-recommender

Spec: no checks applied

ServiceAccount: vpa-updater

Spec: no checks applied