Sharing host's process namespace KUBELIN-W1019
Alert on pods/deployment-likes with sharing host's process namespace
Unrestricted access to create pods KUBELIN-W1001
Indicates when a subject (Group/User/ServiceAccount) has create access to Pods. CIS Benchmark 5.1.4: The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Unrestricted access to Secrets KUBELIN-W1002
Indicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
cluster admin role should be used only where required KUBELIN-W1003
CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required
Missing scaleTargetRef in HorizontalPodAutoscaler KUBELIN-W1004
Indicates when HorizontalPodAutoscalers target a missing resource.
Ingress without associated services KUBELIN-W1005
Indicates when ingress do not have any associated services.
NetworkPolicy without associated deployments KUBELIN-W1006
Indicates when networkpolicies do not have any associated deployments.
Misconfigured NetworkPolicyPeer podSelectors KUBELIN-W1007
Indicates when NetworkPolicyPeer in Egress/Ingress rules -in the Spec of NetworkPolicy- do not have any associated deployments. Applied on peer specified with podSelectors only.
Missing deployment for service KUBELIN-W1008
Indicates when services do not have any associated deployments.
Pods using default service account KUBELIN-W1009
Indicates when pods use the default service account.
Use of deprecated serviceAccount field in deployments KUBELIN-W1010
Indicates when deployments use the deprecated serviceAccount field.
Missing dnsConfig options in deployments KUBELIN-W1011
Alert on deployments that have no specified dnsConfig options
docker.sock volume mounted in containers KUBELIN-W1012
Alert on deployments with docker.sock mounted in containers.
Container with NET_RAW capability KUBELIN-W1013
Indicates when containers do not drop NET_RAW capability
Duplicate env vars dedicated KUBELIN-W1014
Check that duplicate named env vars aren't passed to a deployment like.
Insecure use of secrets in environment variables KUBELIN-W1015
Indicates when objects use a secret in an environment variable.
Forbidden service types for exposed services KUBELIN-W1016
Alert on services for forbidden types
Pods sharing host's network namespace KUBELIN-W1018
Alert on pods/deployment-likes with sharing host's network namespace
Insufficient minReplicas in HorizontalPodAutoscaler KUBELIN-W1020
Indicates when a HorizontalPodAutoscaler specifies less than three minReplicas
Invalid port names in deployments or services KUBELIN-W1021
Indicates when deployments or services are using port names that are violating specifications.