Cluster Overview: https://10.0.0.1:443

Smooth sailing within sight
Grade: C-
Score: 72%

Score is the percentage of passing checks. Warnings get half the weight of dangerous checks.

  • 2097 passing checks
  • 1129 warning checks
  • 251 dangerous checks
Kubernetes Version: 1.31
Nodes: 4
Namespaces: 34
Controllers: 100
Pods: 0

Results by Category

EfficiencyScore: 57%

Configuring resource requests and limits for workloads running in Kubernetes helps ensure that every container will have access to all the resources it needs. These are also a crucial part of cluster autoscaling logic, as new nodes are only spun up when there is insufficient capacity on existing infrastructure for new pod(s). By default, Polaris validates that resource requests and limits are set, it also includes optional functionality to ensure these requests and limits fall within specified ranges. Refer to the Polaris documentation about Efficiency for more information.

ReliabilityScore: 66%

Kubernetes is built to reliabily run highly available applications. Polaris includes a number of checks to ensure that you are maximizing the reliability potential of Kubernetes. Refer to the Polaris documentation about Reliability for more information.

SecurityScore: 68%

Kubernetes provides a great deal of configurability when it comes to the security of your workloads. A key principle here involves limiting the level of access any individual workload has. Polaris has validations for a number of best practices, mostly focused on ensuring that unnecessary access has not been granted to an application workload. Refer to the Polaris documentation about Security for more information.

Filter by Namespace

Cluster Resources

ClusterRole: acn-multitenancy-editor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: aks-service

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: appmonitoringconfig-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-application-controller

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: argocd-server

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: cert-manager-cainjector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cluster-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificates

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-challenges

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-issuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-orders

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cilium

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cilium-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cloud-node-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cluster-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: container-health-log-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: csi-azuredisk-node-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: csi-azurefile-node-secret-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: hydra-hydra-maester-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: ingress-nginx

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: pod-reader-all-namespaces

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: polaris

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: postgres-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: postgres-pod

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: redis-operator

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: reloader-reloader-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:auth-delegator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:azure-cloud-provider

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:azure-cloud-provider-secret-getter

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:basic-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:nodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kubelet-serving-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:legacy-unknown-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:attachdetach-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:certificate-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:cronjob-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:daemon-set-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:deployment-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:disruption-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpoint-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslice-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:expand-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:generic-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:job-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:namespace-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:node-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:persistent-volume-binder

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pod-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pv-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pvc-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replicaset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replication-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resourcequota-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:route-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-account-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:statefulset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:heapster

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:konnectivity-agent-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-aggregator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-dns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kubelet-api-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:metrics-server

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:monitoring

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-bootstrapper

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-problem-detector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-proxier

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-provisioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-secret-operator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:prometheus

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:public-info-viewer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:service-account-issuer-discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:volume-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-admission-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-checkpoint-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-evictioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-actor

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-status-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: vpa-target-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRoleBinding: acn-multitenancy-editor-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: aks-cluster-admin-binding

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: aks-cluster-admin-binding-aad

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: aks-service-rolebinding

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: appmonitoringconfig-user-global

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: argocd-application-controller

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: argocd-server

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: auto-approve-csrs-for-group

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: auto-approve-renewals-for-nodes

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-cainjector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificates

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-challenges

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-issuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-orders

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cilium

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cilium-operator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cloud-node-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cluster-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: container-health-read-logs-global

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: create-csrs-for-bootstrapping

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: csi-azuredisk-node-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: csi-azurefile-node-secret-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: hydra-hydra-maester-role-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: ingress-nginx

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metrics-server:system:auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: pod-reader-all-namespaces-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: polaris

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris-view

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: postgres-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: rabbitmq-operator-rabbitmq-cluster-operator-rabbitmq-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: rabbitmq-operator-rabbitmq-messaging-topology-operator-rabbitmq

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: redis-operator

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: reloader-reloader-role-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:aks-client-node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:azure-cloud-provider

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:azure-cloud-provider-secret-getter

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:basic-user

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:attachdetach-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:certificate-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:cronjob-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:daemon-set-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:deployment-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:disruption-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:endpoint-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslice-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:expand-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:generic-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:job-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:namespace-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:node-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:persistent-volume-binder

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pod-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pv-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pvc-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replicaset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replication-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:resourcequota-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:route-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-account-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:statefulset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:discovery

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:konnectivity-agent-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-dns

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:kube-scheduler

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:metrics-server

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:monitoring

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:persistent-volume-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:prometheus

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:public-info-viewer

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:service-account-issuer-discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:volume-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-admission-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-checkpoint-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-evictionter-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: vpa-metrics-reader

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-actor

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: vpa-status-reader-binding

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: vpa-target-reader-binding

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach

Namespace: adminconsole

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: mongodb-charts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: adminconsole-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image tag is specified
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
Ingress: adminconsole-ui

Spec:

  • Ingress has TLS configured
ServiceAccount: adminconsole

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: aks-command

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: argocd

ConfigMap: argocd-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-cmd-params-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-gpg-keys-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-notifications-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-rbac-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-ssh-known-hosts-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-tls-certs-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: argocd-applicationset-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-applicationset-controller:

  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Host port is not configured
  • Image pull policy is "Always"
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
Deployment: argocd-dex-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container copyutil:

  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Not running as privileged
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities

Container dex:

  • CPU requests should be set
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Is not allowed to run as root
  • Host port is not configured
  • Image pull policy is "Always"
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
Deployment: argocd-notifications-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-notifications-controller:

  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Image tag is specified
  • Is not allowed to run as root
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Deployment: argocd-redis

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • A NetworkPolicy matches pod labels and contains egress and ingress rules

Container redis:

  • Liveness probe should be configured
  • Memory requests should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • CPU requests should be set
  • Container does not have any insecure capabilities
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
Deployment: argocd-repo-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • The ServiceAccount will not be automounted
  • Host IPC is not configured

Container copyutil:

  • Image pull policy should be "Always"
  • Is not allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Not running as privileged

Container argocd-repo-server:

  • Memory requests should be set
  • CPU requests should be set
  • Filesystem is read only
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Image pull policy is "Always"
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: argocd-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-server:

  • CPU requests should be set
  • Memory requests should be set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Filesystem is read only
  • Image pull policy is "Always"
  • Is not allowed to run as root
Ingress: argocd-server-ingress

Spec:

  • Ingress has TLS configured
NetworkPolicy: argocd-application-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-applicationset-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-dex-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-notifications-controller-network-policy

Spec: no checks applied

NetworkPolicy: argocd-redis-network-policy

Spec: no checks applied

NetworkPolicy: argocd-repo-server-network-policy

Spec: no checks applied

NetworkPolicy: argocd-server-network-policy

Spec: no checks applied

Role: argocd-application-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-applicationset-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-dex-server

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-notifications-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-server

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: argocd-application-controller

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: argocd-applicationset-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-dex-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-notifications-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-redis

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: argocd-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: argocd-application-controller

Spec: no checks applied

ServiceAccount: argocd-applicationset-controller

Spec: no checks applied

ServiceAccount: argocd-dex-server

Spec: no checks applied

ServiceAccount: argocd-notifications-controller

Spec: no checks applied

ServiceAccount: argocd-redis

Spec: no checks applied

ServiceAccount: argocd-repo-server

Spec: no checks applied

ServiceAccount: argocd-server

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

StatefulSet: argocd-application-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container argocd-application-controller:

  • Memory requests should be set
  • CPU requests should be set
  • Liveness probe should be configured
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Readiness probe is configured

Namespace: azure-agent

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgov-test-agent

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgov-test-agent:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image tag should be specified
  • Privilege escalation should not be allowed
  • Liveness probe should be configured
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Image pull policy is "Always"
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
ServiceAccount: default

Spec: no checks applied

Namespace: cert-manager

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cert-manager

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-controller:

  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Not running as privileged
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Is not allowed to run as root
  • Host port is not configured
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: cert-manager-cainjector

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-cainjector:

  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Readiness probe should be configured
  • Memory requests should be set
  • Host port is not configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • Image tag is specified
Deployment: cert-manager-webhook

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container cert-manager-webhook:

  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Liveness probe is configured
  • Filesystem is read only
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
Role: cert-manager-webhook:dynamic-serving

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-webhook:dynamic-serving

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
ServiceAccount: cert-manager

Spec: no checks applied

ServiceAccount: cert-manager-cainjector

Spec: no checks applied

ServiceAccount: cert-manager-webhook

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: cloudadmin

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-6aa184-admin-on-cloudadmin

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-6aa184

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: default

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-manager-scripts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dge

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovadmin

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovdocs

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovdocs-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
Ingress: dotgovdocs-api

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-4aa615-admin-on-dotgovdocs

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-4aa615

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovdocs

Spec: no checks applied

Namespace: dotgovengine

ConfigMap: eservices-dgf-dotgovengine-api

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: eservices-dgf-dotgovengine-ui

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: eservices-dgf-dotgovengine-web

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-api

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-ui

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: intranet-dgf-dotgovengine-web

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: eservices-dgf-dotgovengine-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-api:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Memory requests are set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
Deployment: eservices-dgf-dotgovengine-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: eservices-dgf-dotgovengine-web

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • The ServiceAccount will not be automounted
  • Host IPC is not configured

Container dotgovengine-web:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Host port is not configured
  • Liveness probe is configured
  • Memory requests are set
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Not running as privileged
Deployment: intranet-dgf-dotgovengine-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Host port is not configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
Deployment: intranet-dgf-dotgovengine-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured

Container dotgovengine-ui:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Not running as privileged
  • CPU requests are set
  • Host port is not configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: intranet-dgf-dotgovengine-web

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovengine-web:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • CPU requests are set
  • Liveness probe is configured
  • Memory requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
Ingress: eservices-dgf-dotgovengine-api

Spec:

  • Ingress has TLS configured
Ingress: eservices-dgf-dotgovengine-ui

Spec:

  • Ingress has TLS configured
Ingress: eservices-dgf-dotgovengine-web

Spec:

  • Ingress has TLS configured
Ingress: intranet-dgf-dotgovengine-api

Spec:

  • Ingress has TLS configured
Ingress: intranet-dgf-dotgovengine-ui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-05973c-admin-on-dotgovengine

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-05973c

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: eservices-dgf-dotgovengine

Spec: no checks applied

ServiceAccount: intranet-dgf-dotgovengine

Spec: no checks applied

Namespace: dotgovframework

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovframework-backofficeapi

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container workspace-webasm:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured

Container workspace-zims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container workspace-applibs:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified

Container backofficeapi:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Filesystem should be read only
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • CPU requests are set
  • Memory requests are set
  • Not running as privileged
Deployment: dotgovframework-backofficeui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container backofficeui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Image tag is specified
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Host port is not configured
  • Not running as privileged
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
Deployment: dotgovframework-frontofficeapi

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container workspace-webasm:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container workspace-zims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified

Container workspace-applibs:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables

Container frontofficeapi:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Readiness probe is configured
  • Host port is not configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • CPU requests are set
  • Liveness probe is configured
Deployment: dotgovframework-frontofficeui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container frontofficeui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • CPU requests are set
  • Memory requests are set
  • Readiness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
Ingress: dotgovframework-backofficeapi

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-backofficeui

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-frontofficeapi

Spec:

  • Ingress has TLS configured
Ingress: dotgovframework-frontofficeui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-2b7fa7-admin-on-dotgovframework

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-2b7fa7

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovframework

Spec: no checks applied

Namespace: dotgovmobileid

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: dotgovnotify

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovnotify-admin

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Image tag is specified
  • Liveness probe is configured
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
Deployment: dotgovnotify-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Readiness probe is configured
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
Deployment: dotgovnotify-firebase

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container firebase:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image tag should be specified
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Deployment: dotgovnotify-jobservice

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container jobservice:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image tag should be specified
  • Filesystem should be read only
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Memory requests should be set
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
Deployment: dotgovnotify-otp

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container otp:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • CPU requests should be set
  • Host port is not configured
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Readiness probe is configured
  • Image tag is specified
Deployment: dotgovnotify-preferences

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container preferences:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Memory requests should be set
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Filesystem should be read only
  • Image tag is specified
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovnotify-sendgrid

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container sendgrid:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
Deployment: dotgovnotify-telegram

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container telegram:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: dotgovnotify-templates

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container templates:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
Deployment: dotgovnotify-twiliosms

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container twiliosms:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image tag should be specified
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovnotify-twiliowhatsapp

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container twiliowhatsapp:

  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovnotify-zamtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container zamtel:

  • Image tag should be specified
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
Ingress: dotgovnotify-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-otp

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-preferences

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-sendgrid

Spec:

  • Ingress has TLS configured
Ingress: dotgovnotify-templates

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-9bc333-admin-on-dotgovnotify

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-9bc333

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovnotify

Spec: no checks applied

Namespace: dotgovpass

ConfigMap: hydra

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: hydra-migrate

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kratos-dotgovpasskratos-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kratos-dotgovpasskratos-migrate

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpass-admin

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Deployment: dotgovpass-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Readiness probe is configured
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: dotgovpass-claims

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container claims:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
Deployment: dotgovpass-ui

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Should not be allowed to run as root
  • Liveness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: hydra

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container hydra:

  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Liveness probe should be configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Filesystem is read only
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Host port is not configured
  • Image tag is specified
Deployment: hydra-hydra-maester

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container hydra-maester:

  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Not running as privileged
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Image tag is specified
  • Is not allowed to run as root
Deployment: kratos-dotgovpasskratos

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container dotgovpasskratos:

  • Image pull policy should be "Always"
  • Memory requests should be set
  • CPU requests should be set
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Filesystem is read only
  • Is not allowed to run as root
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
Ingress: dotgovpass-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-claims

Spec:

  • Ingress has TLS configured
Ingress: dotgovpass-ui

Spec:

  • Ingress has TLS configured
Ingress: hydra-admin

Spec:

  • Ingress has TLS configured
Ingress: hydra-public

Spec:

  • Ingress has TLS configured
Ingress: kratos-dotgovpasskratos-admin

Spec:

  • Ingress has TLS configured
Ingress: kratos-dotgovpasskratos-public

Spec:

  • Ingress has TLS configured
Job: hydra-automigrate

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container hydra-automigrate:

  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Container does not have any dangerous capabilities
PodDisruptionBudget: postgres-dotgovpass-postgresql-pdb

Spec: no checks applied

Role: hydra-hydra-maester-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: azdev-rb-azdev-sa-5e1944-admin-on-dotgovpass

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: hydra-hydra-maester-role-binding

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: postgres-pod

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-5e1944

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpass

Spec: no checks applied

ServiceAccount: hydra

Spec: no checks applied

ServiceAccount: hydra-cronjob-janitor

Spec: no checks applied

ServiceAccount: hydra-hydra-maester-account

Spec: no checks applied

ServiceAccount: hydra-job

Spec: no checks applied

ServiceAccount: kratos-dotgovpasskratos

Spec: no checks applied

ServiceAccount: kratos-dotgovpasskratos-job

Spec: no checks applied

ServiceAccount: postgres-pod

Spec: no checks applied

StatefulSet: dotgovpass-postgresql

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container postgres:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Memory requests are set
StatefulSet: kratos-dotgovpasskratos-courier

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container kratos-dotgovpasskratos-courier:

  • Image pull policy should be "Always"
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only

Namespace: dotgovpay

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpay-absa

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container absa:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Deployment: dotgovpay-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container admin:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpay-airtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container airtel:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Image tag is specified
Deployment: dotgovpay-callbackhandler

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container callbackhandler:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
Deployment: dotgovpay-ecobank

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ecobank:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Liveness probe is configured
  • Image tag is specified
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
Deployment: dotgovpay-ifmis

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container ifmis:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Readiness probe is configured
Deployment: dotgovpay-izb

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container izb:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpay-mtn

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container mtn:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
Deployment: dotgovpay-payments

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container payments:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Not running as privileged
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Deployment: dotgovpay-pdf

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container pdf:

  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • Readiness probe is configured
  • Image tag is specified
  • Liveness probe is configured
Deployment: dotgovpay-reports

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container reports:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
Deployment: dotgovpay-stanbicbank

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container stanbicbank:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Readiness probe is configured
Deployment: dotgovpay-stanbicbankussd

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container stanbicbankussd:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Not running as privileged
  • Host port is not configured
  • Liveness probe is configured
  • Image tag is specified
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
Deployment: dotgovpay-tengamobilewallet

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container tengamobilewallet:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Memory requests should be set
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Liveness probe is configured
  • Host port is not configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: dotgovpay-transactionjunction

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container transactionjunction:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
Deployment: dotgovpay-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Should not be allowed to run as root
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: dotgovpay-zamtel

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container zamtel:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpay-zanaco

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container zanaco:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Memory requests should be set
  • CPU requests should be set
  • Host port is not configured
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
Ingress: cm-acme-http-solver-b59ss

Spec:

  • Ingress does not have TLS configured
Ingress: dotgovpay-absa

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-absa

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-airtel

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ecobank

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ifmis

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-izb

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-mtn

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-payments

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-pdf

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-reports

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-stanbicbank

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-stanbicbankussd

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-tengamobilewallet

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-transactionjunction

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-ui

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-zamtel

Spec:

  • Ingress has TLS configured
Ingress: dotgovpay-zanaco

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpay

Spec: no checks applied

Namespace: dotgovpki

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovpki-admin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container admin:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • Not running as privileged
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Host port is not configured
  • Image tag is specified
Deployment: dotgovpki-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • CPU requests should be set
  • Filesystem should be read only
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
Deployment: dotgovpki-mobile

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container mobile:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Filesystem should be read only
  • Memory requests should be set
  • Host port is not configured
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
Deployment: dotgovpki-systemsmanager

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container systemsmanager:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Readiness probe is configured
Deployment: dotgovpki-systemsmanageradmin

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container systemsmanageradmin:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • The container sets potentially sensitive environment variables
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests should be set
  • Not running as privileged
  • Readiness probe is configured
  • Host port is not configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
Ingress: dotgovpki-admin

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-mobile

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-systemsmanager

Spec:

  • Ingress has TLS configured
Ingress: dotgovpki-systemsmanageradmin

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-ae2d84-admin-on-dotgovpki

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-ae2d84

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovpki

Spec: no checks applied

Namespace: dotgovshortener

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovshortener-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container api:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • CPU requests should be set
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Ingress: dotgovshortener-api

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-929f4b-admin-on-dotgovshortener

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-929f4b

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovshortener

Spec: no checks applied

Namespace: dotgovsign

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: dotgovsign-api

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container api:

  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Host port is not configured
  • Image tag is specified
  • Readiness probe is configured
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Not running as privileged
Deployment: dotgovsign-ui

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container ui:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • The container sets potentially sensitive environment variables
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Filesystem should be read only
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Readiness probe is configured
Ingress: dotgovsign-api

Spec:

  • Ingress has TLS configured
Ingress: dotgovsign-ui

Spec:

  • Ingress has TLS configured
RoleBinding: azdev-rb-azdev-sa-843310-admin-on-dotgovsign

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-843310

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: dotgovsign

Spec: no checks applied

Namespace: dotgovstyle

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-710e30-admin-on-dotgovstyle

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-710e30

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: ingress-nginx

ConfigMap: ingress-nginx-controller

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: ingress-nginx-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container controller:

  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Memory requests are set
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Image tag is specified
  • CPU requests are set
  • Readiness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
Role: ingress-nginx

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: ingress-nginx

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: ingress-nginx

Spec: no checks applied

Namespace: kube-node-lease

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: kube-public

ConfigMap: aks-cluster-metadata

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

Namespace: kube-system

ConfigMap: azure-ip-masq-agent-config-reconciled

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cilium-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cns-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cns-win-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns-autoscaler

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns-custom

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: extension-apiserver-authentication

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: konnectivity-agent-autoscaler

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-apiserver-legacy-service-account-token-tracking

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: overlay-upgrade-data

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: azure-cns

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • Priority class has been set
  • Host IPC is not configured
  • Host PID is not configured

Container cni-installer:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities

Container cns-container:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Readiness probe is configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • Liveness probe is configured
  • Memory requests are set
DaemonSet: azure-cns-win

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Priority class has been set
  • Host IPC is not configured
  • Host PID is not configured

Container cni-installer:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container cns-container:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be running as privileged
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Readiness probe is configured
  • Liveness probe is configured
  • Image tag is specified
DaemonSet: azure-ip-masq-agent

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host network should not be configured
  • Host IPC is not configured
  • Host PID is not configured
  • Priority class has been set
  • The ServiceAccount will not be automounted

Container azure-ip-masq-agent:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Should not be allowed to run as root
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • Memory requests are set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
DaemonSet: cilium

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • Priority class has been set
  • Host IPC is not configured
  • Host PID is not configured

Container install-cni-binaries:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified

Container mount-cgroup:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container apply-sysctl-overwrites:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container mount-bpf-fs:

  • Should not be running as privileged
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Image tag is specified
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities

Container clean-cilium-state:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Host port is not configured

Container block-wireserver:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities

Container cilium-agent:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Memory requests should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Host port should not be configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • Liveness probe is configured
DaemonSet: cloud-node-manager

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • Host network should not be configured
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Priority class has been set
  • Host IPC is not configured

Container cloud-node-manager:

  • Privilege escalation should not be allowed
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Memory requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any dangerous capabilities
  • Image tag is specified
DaemonSet: cloud-node-manager-windows

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • Host network should not be configured
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • Priority class has been set

Container cloud-node-manager:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Liveness probe should be configured
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • CPU requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Image tag is specified
  • Memory requests are set
DaemonSet: csi-azuredisk-node

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • Host IPC is not configured
  • Host PID is not configured
  • Priority class has been set

Container liveness-probe:

  • Privilege escalation should not be allowed
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured

Container node-driver-registrar:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Not running as privileged
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Memory requests are set
  • CPU requests are set

Container azuredisk:

  • Should not be running as privileged
  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Liveness probe is configured
  • Memory requests are set
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
DaemonSet: csi-azuredisk-node-win

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • Priority class has been set
  • Host IPC is not configured
  • Host PID is not configured

Container init:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables

Container node-driver-registrar:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Liveness probe should be configured
  • Filesystem should be read only
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory requests are set
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges

Container azuredisk:

  • Privilege escalation should not be allowed
  • Liveness probe should be configured
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Filesystem should be read only
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
DaemonSet: csi-azurefile-node

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host PID is not configured
  • Priority class has been set

Container liveness-probe:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Liveness probe should be configured
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Image tag is specified
  • Memory requests are set
  • Not running as privileged
  • CPU requests are set
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities

Container node-driver-registrar:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Readiness probe should be configured
  • CPU requests are set
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Memory requests are set
  • Image tag is specified

Container azurefile:

  • Privilege escalation should not be allowed
  • Should not be running as privileged
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Host port is not configured
  • Memory requests are set
  • Image tag is specified
  • Liveness probe is configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
DaemonSet: csi-azurefile-node-win

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Host network should not be configured
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Priority class has been set
  • Host IPC is not configured

Container init:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container does not have any insecure capabilities
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Image tag is specified

Container node-driver-registrar:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • CPU requests are set
  • Container does not have any insecure capabilities
  • Memory requests are set

Container azurefile:

  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
  • Container does not have any insecure capabilities
DaemonSet: windows-kube-proxy-initializer

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Priority class has been set

Container pause:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • CPU requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
Deployment: cilium-operator

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network should not be configured
  • Priority class has been set
  • Host IPC is not configured
  • Host PID is not configured

Container cilium-operator:

  • Privilege escalation should not be allowed
  • Container should not have dangerous capabilities
  • CPU requests should be set
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Should not be allowed to run as root
  • Host port should not be configured
  • Filesystem should be read only
  • The container does not set potentially sensitive environment variables
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Not running as privileged
Deployment: coredns

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Priority class has been set

Container coredns:

  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Memory requests are set
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Privilege escalation not allowed
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • CPU requests are set
  • Liveness probe is configured
Deployment: coredns-autoscaler

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host PID is not configured
  • Priority class has been set
  • Host IPC is not configured
  • Host network is not configured

Container autoscaler:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Memory requests are set
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
Deployment: konnectivity-agent

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Priority class has been set
  • The ServiceAccount will not be automounted

Container konnectivity-agent:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Host port is not configured
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
Deployment: konnectivity-agent-autoscaler

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Priority class has been set

Container autoscaler:

  • Privilege escalation should not be allowed
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Host port is not configured
  • Liveness probe is configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Image tag is specified
  • CPU requests are set
  • Memory requests are set
  • Not running as privileged
Deployment: metrics-server

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class has been set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container metrics-server-vpa:

  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Container does not have any insecure capabilities
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • CPU requests are set
  • Filesystem is read only
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables

Container metrics-server:

  • Image pull policy should be "Always"
  • Not running as privileged
  • Image tag is specified
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Readiness probe is configured
NetworkPolicy: konnectivity-agent

Spec: no checks applied

PodDisruptionBudget: coredns-pdb

Spec: no checks applied

PodDisruptionBudget: konnectivity-agent

Spec: no checks applied

PodDisruptionBudget: metrics-server-pdb

Spec: no checks applied

Role: cert-manager-cainjector:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: extension-apiserver-authentication-reader

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: nodeNetConfigEditor

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-controller-manager

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-scheduler

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:cloud-provider

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:token-cleaner

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:metrics-server

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-cainjector:leaderelection

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: cert-manager:leaderelection

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: metrics-server-auth-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: metrics-server-binding

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: nodeNetConfigEditorRoleBinding

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: system::extension-apiserver-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-controller-manager

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-scheduler

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: system:controller:cloud-provider

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: system:controller:token-cleaner

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
ServiceAccount: attachdetach-controller

Spec: no checks applied

ServiceAccount: azure-cns

Spec: no checks applied

ServiceAccount: bootstrap-signer

Spec: no checks applied

ServiceAccount: certificate-controller

Spec: no checks applied

ServiceAccount: cilium

Spec: no checks applied

ServiceAccount: cilium-operator

Spec: no checks applied

ServiceAccount: cloud-node-manager

Spec: no checks applied

ServiceAccount: clusterrole-aggregation-controller

Spec: no checks applied

ServiceAccount: coredns

Spec: no checks applied

ServiceAccount: coredns-autoscaler

Spec: no checks applied

ServiceAccount: cronjob-controller

Spec: no checks applied

ServiceAccount: csi-azuredisk-node-sa

Spec: no checks applied

ServiceAccount: csi-azurefile-node-sa

Spec: no checks applied

ServiceAccount: daemon-set-controller

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: deployment-controller

Spec: no checks applied

ServiceAccount: disruption-controller

Spec: no checks applied

ServiceAccount: endpoint-controller

Spec: no checks applied

ServiceAccount: endpointslice-controller

Spec: no checks applied

ServiceAccount: endpointslicemirroring-controller

Spec: no checks applied

ServiceAccount: ephemeral-volume-controller

Spec: no checks applied

ServiceAccount: expand-controller

Spec: no checks applied

ServiceAccount: generic-garbage-collector

Spec: no checks applied

ServiceAccount: horizontal-pod-autoscaler

Spec: no checks applied

ServiceAccount: job-controller

Spec: no checks applied

ServiceAccount: konnectivity-agent

Spec: no checks applied

ServiceAccount: konnectivity-agent-autoscaler

Spec: no checks applied

ServiceAccount: legacy-service-account-token-cleaner

Spec: no checks applied

ServiceAccount: metrics-server

Spec: no checks applied

ServiceAccount: namespace-controller

Spec: no checks applied

ServiceAccount: node-controller

Spec: no checks applied

ServiceAccount: persistent-volume-binder

Spec: no checks applied

ServiceAccount: pod-garbage-collector

Spec: no checks applied

ServiceAccount: pv-protection-controller

Spec: no checks applied

ServiceAccount: pvc-protection-controller

Spec: no checks applied

ServiceAccount: replicaset-controller

Spec: no checks applied

ServiceAccount: replication-controller

Spec: no checks applied

ServiceAccount: resourcequota-controller

Spec: no checks applied

ServiceAccount: root-ca-cert-publisher

Spec: no checks applied

ServiceAccount: service-account-controller

Spec: no checks applied

ServiceAccount: statefulset-controller

Spec: no checks applied

ServiceAccount: token-cleaner

Spec: no checks applied

ServiceAccount: ttl-after-finished-controller

Spec: no checks applied

ServiceAccount: ttl-controller

Spec: no checks applied

ServiceAccount: validatingadmissionpolicy-status-controller

Spec: no checks applied

Namespace: kuma-uptime

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-manager-scripts

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-adminconsole-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-argocd-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-argocd-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-cloudadmin-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-default-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-default-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovdocs-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovdocs-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovengine-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovengine-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovframework-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovnotify-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovnotify-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpass-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpass-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpay-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpay-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpki-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovpki-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovshortener-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovshortener-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovsign-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-dotgovsign-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-echo-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ecouncil-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-elastic-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-harbor-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-ndr-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-opensearch-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-polaris-aks-dev

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-polaris-dotgov-test-aks

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamconnect-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamdocs-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamlog-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zammobile-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamnotify-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamoffice-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampass-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampay-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampki-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zampoint-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamservices-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamshortener-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-gsb-stg

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-gsb-tst

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kuma-monitors-zamsign-production

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: kuma-uptime

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container kuma-uptime:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image tag should be specified
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Host port is not configured
  • Memory requests are set
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities

Container kuma-manager:

  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Container should not have insecure capabilities
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Memory requests are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged
Ingress: kuma-uptime

Spec:

  • Ingress has TLS configured
ServiceAccount: default

Spec: no checks applied

Namespace: playwright

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RoleBinding: azdev-rb-azdev-sa-836f16-admin-on-playwright

Spec:

  • The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: azdev-sa-836f16

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: polaris

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: polaris

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: polaris-dashboard

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured
  • A PodDisruptionBudget is attached

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Pod has a valid topology spread constraint

Container dashboard:

  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Privilege escalation not allowed
  • Not running as privileged
  • CPU requests are set
  • Liveness probe is configured
  • Filesystem is read only
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Readiness probe is configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Is not allowed to run as root
Ingress: polaris

Spec:

  • Ingress has TLS configured
PodDisruptionBudget: polaris-dashboard

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: polaris

Spec: no checks applied

Namespace: postgres-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: postgres-operator

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container postgres-operator:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Liveness probe should be configured
  • Container should not have insecure capabilities
  • Host port is not configured
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • CPU requests are set
  • Memory requests are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Is not allowed to run as root
ServiceAccount: default

Spec: no checks applied

ServiceAccount: postgres-operator

Spec: no checks applied

Namespace: rabbitmq-ha

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: rabbitmq-ha-plugins-conf

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: rabbitmq-ha-server-conf

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
RabbitmqCluster: rabbitmq-ha

Spec: no checks applied

Role: rabbitmq-ha-peer-discovery

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: rabbitmq-ha-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: rabbitmq-ha-server

Spec: no checks applied

Namespace: rabbitmq-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container rabbitmq-cluster-operator:

  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Memory requests are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Image tag is specified
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • CPU requests are set
Deployment: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container rabbitmq-cluster-operator:

  • The container sets potentially sensitive environment variables
  • Image pull policy should be "Always"
  • Memory requests are set
  • Readiness probe is configured
  • Image tag is specified
  • CPU requests are set
  • Host port is not configured
  • Liveness probe is configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • Is not allowed to run as root
NetworkPolicy: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

NetworkPolicy: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

PodDisruptionBudget: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

PodDisruptionBudget: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

Role: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: rabbitmq-operator-rabbitmq-cluster-operator

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ServiceAccount: default

Spec: no checks applied

ServiceAccount: rabbitmq-operator-rabbitmq-cluster-operator

Spec: no checks applied

ServiceAccount: rabbitmq-operator-rabbitmq-messaging-topology-operator

Spec: no checks applied

Namespace: redis-ha

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

StatefulSet: redis-ha

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container redis-ha:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • CPU requests should be set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Readiness probe is configured
  • Host port is not configured
  • Container does not have any dangerous capabilities
  • Liveness probe is configured

Namespace: redis-operator

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: redis-operator

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance matches metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container redis-operator:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Liveness probe is configured
  • Readiness probe is configured
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Memory requests are set
ServiceAccount: default

Spec: no checks applied

ServiceAccount: redis-operator

Spec: no checks applied

Namespace: reloader

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: reloader-meta-info

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: reloader-reloader

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured

Container reloader-reloader:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Is not allowed to run as root
  • Image tag is specified
  • Memory requests are set
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Liveness probe is configured
  • Not running as privileged
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
Role: reloader-reloader-metadata-role

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: reloader-reloader-metadata-role-binding

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ServiceAccount: default

Spec: no checks applied

ServiceAccount: reloader-reloader

Spec: no checks applied

Namespace: vpa

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: vpa-admission-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container vpa:

  • Memory requests are set
  • Not running as privileged
  • Liveness probe is configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Image tag is specified
  • CPU requests are set
  • Image pull policy is "Always"
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Readiness probe is configured
Deployment: vpa-recommender

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host PID is not configured
  • Host IPC is not configured
  • Host network is not configured

Container vpa:

  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Memory requests are set
  • Readiness probe is configured
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Filesystem is read only
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • CPU requests are set
Deployment: vpa-updater

Spec:

  • Should have a PodDisruptionBudget
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container vpa:

  • Readiness probe is configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Filesystem is read only
  • Image pull policy is "Always"
  • Image tag is specified
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Memory requests are set
  • Privilege escalation not allowed
  • Not running as privileged
ServiceAccount: default

Spec: no checks applied

ServiceAccount: vpa-admission-controller

Spec: no checks applied

ServiceAccount: vpa-recommender

Spec: no checks applied

ServiceAccount: vpa-updater

Spec: no checks applied