diff --git a/core/pkg/resultshandling/reporter/v2/mockreporter_test.go b/core/pkg/resultshandling/reporter/v2/mockreporter_test.go index 83d14a12..cf07a955 100644 --- a/core/pkg/resultshandling/reporter/v2/mockreporter_test.go +++ b/core/pkg/resultshandling/reporter/v2/mockreporter_test.go @@ -1,10 +1,37 @@ package reporter import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "net/http/httptest" + "net/http/httputil" + "net/url" + "os" + "path/filepath" + "runtime" + "strings" "testing" + + "github.com/armosec/armoapi-go/armotypes" + "github.com/kubescape/k8s-interface/workloadinterface" + "github.com/kubescape/kubescape/v2/core/cautils" + "github.com/kubescape/kubescape/v2/core/pkg/resultshandling/reporter" + "github.com/kubescape/opa-utils/reporthandling" + "github.com/kubescape/opa-utils/reporthandling/apis" + "github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1" + "github.com/kubescape/opa-utils/reporthandling/results/v1/prioritization" + "github.com/kubescape/opa-utils/reporthandling/results/v1/resourcesresults" + reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) -func TestReportMock_GetURL(t *testing.T) { +func TestReportMockGetURL(t *testing.T) { + t.Parallel() + type fields struct { query string message string @@ -31,15 +58,44 @@ func TestReportMock_GetURL(t *testing.T) { want: "", }, } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - reportMock := &ReportMock{ - query: tt.fields.query, - message: tt.fields.message, - } - if got := reportMock.GetURL(); got != tt.want { - t.Errorf("ReportMock.GetURL() = %v, want %v", got, tt.want) - } + + for _, toPin := range tests { + tc := toPin + + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + var reportMock reporter.IReport = NewReportMock(tc.fields.query, tc.fields.message) + + t.Run("mock reports should support GetURL", func(t *testing.T) { + got := reportMock.GetURL() + require.Equalf(t, tc.want, got, + "ReportMock.GetURL() = %v, want %v", got, tc.want, + ) + }) + + t.Run("mock reports should support DisplayReportURL", func(t *testing.T) { + capture, clean := captureStderr(t) + defer clean() + + reportMock.DisplayReportURL() + require.NoError(t, capture.Close()) + + buf, err := os.ReadFile(capture.Name()) + require.NoError(t, err) + + if tc.fields.message != "" { + require.NotEmpty(t, buf) + } else { + require.Empty(t, buf) + } + }) + + t.Run("mock reports should support Submit", func(t *testing.T) { + require.NoError(t, + reportMock.Submit(context.Background(), &cautils.OPASessionObj{}), + ) + }) }) } } @@ -83,3 +139,219 @@ func TestReportMock_strToDisplay(t *testing.T) { }) } } + +const pathTestReport = "/k8s/v2/postureReport" + +type ( + // mockableOPASessionObj reproduces OPASessionObj with concrete types instead of interfaces. + // It may be unmarshaled from a JSON fixture. + mockableOPASessionObj struct { + K8SResources *cautils.K8SResources + ArmoResource *cautils.KSResources + AllPolicies *cautils.Policies + AllResources map[string]*workloadinterface.Workload + ResourcesResult map[string]resourcesresults.Result + ResourceSource map[string]reporthandling.Source + ResourcesPrioritized map[string]prioritization.PrioritizedResource + ResourceAttackTracks map[string]*v1alpha1.AttackTrack + AttackTracks map[string]*v1alpha1.AttackTrack + Report *reporthandlingv2.PostureReport + RegoInputData cautils.RegoInputData + Metadata *reporthandlingv2.Metadata + InfoMap map[string]apis.StatusInfo + ResourceToControlsMap map[string][]string + SessionID string + Policies []reporthandling.Framework + Exceptions []armotypes.PostureExceptionPolicy + OmitRawResources bool + } + + // testServer wraps a mock http server. + // + // It exposes a route to POST reports and asserts the submitted requests. + testServer struct { + *httptest.Server + } + + // interceptor is a http.RoundTripper used to re-route the calls to the mock API server. + // + // NOTE(fredbi): ideally, the target URL is configurable so we don't need to resort to this to run tests. + interceptor struct { + original http.RoundTripper + host string + } +) + +// mockOPASessionObj builds an OPASessionObj from a JSON fixture. +func mockOPASessionObj(t testing.TB) *cautils.OPASessionObj { + buf, err := os.ReadFile(filepath.Join(currentDir(), "testdata", "mock_opasessionobj.json")) + require.NoError(t, err) + + var v mockableOPASessionObj + require.NoError(t, + json.Unmarshal(buf, &v), + ) + + o := cautils.OPASessionObj{ + K8SResources: v.K8SResources, + ArmoResource: v.ArmoResource, + AllPolicies: v.AllPolicies, + //AllResources map[string]*workloadinterface.Workload // all scanned resources, map[] + ResourcesResult: v.ResourcesResult, + ResourceSource: v.ResourceSource, + ResourcesPrioritized: v.ResourcesPrioritized, + //ResourceAttackTracks map[string]*v1alpha1.AttackTrack // resources attack tracks, map[] + //AttackTracks map[string]*v1alpha1.AttackTrack + Report: v.Report, + RegoInputData: v.RegoInputData, + Metadata: v.Metadata, + InfoMap: v.InfoMap, + ResourceToControlsMap: v.ResourceToControlsMap, + SessionID: v.SessionID, + Policies: v.Policies, + Exceptions: v.Exceptions, + OmitRawResources: v.OmitRawResources, + } + + o.AllResources = make(map[string]workloadinterface.IMetadata, len(v.AllResources)) + for k, val := range v.AllResources { + o.AllResources[k] = val + } + + o.ResourceAttackTracks = make(map[string]v1alpha1.IAttackTrack, len(v.ResourceAttackTracks)) + for k, val := range v.ResourceAttackTracks { + o.ResourceAttackTracks[k] = val + } + + o.AttackTracks = make(map[string]v1alpha1.IAttackTrack, len(v.AttackTracks)) + for k, val := range v.AttackTracks { + o.AttackTracks[k] = val + } + + return &o +} + +func (s *testServer) Root() string { + return s.Server.URL +} + +func (s *testServer) URL(pth string) string { + pth = strings.TrimLeft(pth, "/") + + return fmt.Sprintf("%s/%s", s.Server.URL, pth) +} + +// mockAPIServer builds a mock API running with a TLS endpoint. +// +// Running tests with the DEBUG_TEST=1 environment will result in dumping a trace of +// the incoming requests. +func mockAPIServer(t testing.TB) *testServer { + h := http.NewServeMux() + + server := &testServer{ + Server: httptest.NewUnstartedServer(h), + } + + h.HandleFunc(pathTestReport, func(w http.ResponseWriter, r *http.Request) { + if os.Getenv("DEBUG_TEST") != "" { + dump, _ := httputil.DumpRequest(r, true) + t.Logf("%s\n", dump) + } + + if !assert.Equal(t, http.MethodPost, r.Method) { + w.WriteHeader(http.StatusMethodNotAllowed) + + return + } + + if !assert.NoErrorf(t, r.ParseForm(), "expected params to parse") { + w.WriteHeader(http.StatusBadRequest) + + return + } + + cluster := r.Form.Get("clusterName") + contextName := r.Form.Get("contextName") + customer := r.Form.Get("customerGUID") + report := r.Form.Get("reportGUID") + + if cluster == "" || contextName == "" || customer == "" || report == "" { + t.Error("missing query parameter") + w.WriteHeader(http.StatusBadRequest) + + return + } + + // NOTE(fredbi): (i) requests should have header Content-Type: "application/json" + // NOTE(fredbi): (ii) shouldn't we require an extra authentication (e.g. secretKey or Token)? + + buf, err := io.ReadAll(r.Body) + defer func() { + _ = r.Body.Close() + }() + + if !assert.NoError(t, err) { + w.WriteHeader(http.StatusInternalServerError) + + return + } + + var input reporthandlingv2.PostureReport + if !assert.NoError(t, json.Unmarshal(buf, &input)) { + w.WriteHeader(http.StatusInternalServerError) + + return + } + }) + + h.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + dump, _ := httputil.DumpRequest(r, true) + t.Logf("%s\n", dump) + + t.Errorf("unexpected route in input request: %v", r.URL) + + w.WriteHeader(http.StatusNotFound) + }) + + server.StartTLS() + + return server +} + +// newInterceptor builds a new http.RoundTripper to re-route outgoing requests. +func newInterceptor(transport http.RoundTripper, host string) *interceptor { + return &interceptor{ + original: transport, + host: host, + } +} + +func (i *interceptor) RoundTrip(r *http.Request) (*http.Response, error) { + defer r.Body.Close() + + hijacked := r.Clone(r.Context()) + hijacked.URL.Host = i.host + + return i.original.RoundTrip(hijacked) +} + +// hijackedClient builds an HTTP client suited for working against a mock server. +// +// This client supports mocked TLS and re-routes outgoing calls to the local mock server. +func hijackedClient(t testing.TB, srv *testServer) *http.Client { + tlsClient := srv.Client() + transport, ok := tlsClient.Transport.(*http.Transport) + require.True(t, ok) + mockURL, err := url.Parse(srv.Root()) + require.NoError(t, err) + + return &http.Client{ + Transport: newInterceptor(transport, mockURL.Host), + } +} + +func currentDir() string { + _, filename, _, _ := runtime.Caller(1) + + return filepath.Dir(filename) +} diff --git a/core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go b/core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go index ea9b6593..f4446b98 100644 --- a/core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go +++ b/core/pkg/resultshandling/reporter/v2/reporteventreceiver_test.go @@ -1,15 +1,28 @@ package reporter import ( + "context" + "math/rand" "net/url" + "os" + "strconv" + "sync" "testing" + logger "github.com/kubescape/go-logger" + "github.com/kubescape/go-logger/prettylogger" "github.com/kubescape/kubescape/v2/core/cautils" reporthandlingv2 "github.com/kubescape/opa-utils/reporthandling/v2" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) +// mxStdio serializes the capture of os.Stderr or os.Stdout +var mxStdio sync.Mutex + func TestReportEventReceiver_addPathURL(t *testing.T) { + t.Parallel() + tests := []struct { report *ReportEventReceiver urlObj *url.URL @@ -57,19 +70,146 @@ func TestReportEventReceiver_addPathURL(t *testing.T) { RawQuery: "customerGUID=FFFF&invitationToken=XXXX&utm_medium=createaccount&utm_source=ARMOgithub", }, }, + { + name: "add rbac path", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "XXXX", + customerAdminEMail: "test@test", + reportID: "1234", + submitContext: SubmitContextRBAC, + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "rbac-visualizer", + }, + }, + { + name: "add repository path", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "XXXX", + customerAdminEMail: "test@test", + reportID: "1234", + submitContext: SubmitContextRepository, + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "repository-scanning/1234", + }, + }, + { + name: "add default path", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "XXXX", + customerAdminEMail: "test@test", + reportID: "1234", + submitContext: SubmitContext("invalid"), + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "dashboard", + }, + }, + { + name: "path when no email and no token", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "", + customerAdminEMail: "", + reportID: "1234", + submitContext: SubmitContextScan, + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "compliance/test", + }, + }, + { + name: "path when email and no token", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "", + customerAdminEMail: "test@test", + reportID: "1234", + submitContext: SubmitContextScan, + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "compliance/test", + }, + }, + { + name: "path when no email and token", + report: &ReportEventReceiver{ + clusterName: "test", + customerGUID: "FFFF", + token: "XYZ", + customerAdminEMail: "", + reportID: "1234", + submitContext: SubmitContextScan, + }, + urlObj: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + }, + want: &url.URL{ + Scheme: "https", + Host: "localhost:8080", + Path: "account/sign-up", + RawQuery: "customerGUID=FFFF&invitationToken=XYZ&utm_medium=createaccount&utm_source=ARMOgithub", + }, + }, } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - tt.report.addPathURL(tt.urlObj) - assert.Equal(t, tt.want.String(), tt.urlObj.String()) + for _, toPin := range tests { + tc := toPin + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + tc.report.addPathURL(tc.urlObj) + require.Equal(t, tc.want.String(), tc.urlObj.String()) }) } } func TestGetURL(t *testing.T) { - // Test submit and registered url - { + t.Parallel() + + t.Run("with scan submit and registered url", func(t *testing.T) { + t.Parallel() + reporter := NewReportEventReceiver( &cautils.ConfigObj{ AccountID: "1234", @@ -81,10 +221,11 @@ func TestGetURL(t *testing.T) { SubmitContextScan, ) assert.Equal(t, "https://cloud.armosec.io/compliance/test", reporter.GetURL()) - } + }) + + t.Run("with rbac submit and registered url", func(t *testing.T) { + t.Parallel() - // Test rbac submit and registered url - { reporter := NewReportEventReceiver( &cautils.ConfigObj{ AccountID: "1234", @@ -96,10 +237,11 @@ func TestGetURL(t *testing.T) { SubmitContextRBAC, ) assert.Equal(t, "https://cloud.armosec.io/rbac-visualizer", reporter.GetURL()) - } + }) + + t.Run("with repository submit and registered url", func(t *testing.T) { + t.Parallel() - // Test repo submit and registered url - { reporter := NewReportEventReceiver( &cautils.ConfigObj{ AccountID: "1234", @@ -111,10 +253,10 @@ func TestGetURL(t *testing.T) { SubmitContextRepository, ) assert.Equal(t, "https://cloud.armosec.io/repository-scanning/XXXX", reporter.GetURL()) - } + }) - // Test submit and NOT registered url - { + t.Run("with scan submit and NOT registered url", func(t *testing.T) { + t.Parallel() reporter := NewReportEventReceiver( &cautils.ConfigObj{ @@ -126,51 +268,286 @@ func TestGetURL(t *testing.T) { SubmitContextScan, ) assert.Equal(t, "https://cloud.armosec.io/account/sign-up?customerGUID=1234&invitationToken=token&utm_medium=createaccount&utm_source=ARMOgithub", reporter.GetURL()) - } + }) + + t.Run("with unknown submit and NOT registered url (default route)", func(t *testing.T) { + t.Parallel() + + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1234", + ClusterName: "test", + }, + "", + SubmitContext("unknown"), + ) + assert.Equal(t, "https://cloud.armosec.io/dashboard", reporter.GetURL()) + }) } -func Test_prepareReportKeepsOriginalScanningTarget(t *testing.T) { +func TestDisplayReportURL(t *testing.T) { + t.Parallel() - // prepareReport should keep the original scanning target it received, and not mutate it - testCases := []struct { - Name string - Want reporthandlingv2.ScanningTarget - }{ - {"Cluster", reporthandlingv2.Cluster}, - {"File", reporthandlingv2.File}, - {"Repo", reporthandlingv2.Repo}, - {"GitLocal", reporthandlingv2.GitLocal}, - {"Directory", reporthandlingv2.Directory}, + t.Run("should display an empty message", func(t *testing.T) { + t.Parallel() + + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1234", + Token: "token", + ClusterName: "test", + }, + "", + SubmitContextScan, + ) + + capture, clean := captureStderr(t) + defer clean() + + reporter.DisplayReportURL() + require.NoError(t, capture.Close()) + + buf, err := os.ReadFile(capture.Name()) + require.NoError(t, err) + + require.Empty(t, buf) + }) + + t.Run("should display a non-empty message", func(t *testing.T) { + t.Parallel() + + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1234", + Token: "token", + ClusterName: "test", + }, + "", + SubmitContextScan, + ) + reporter.generateMessage() + + capture, clean := captureStderr(t) + defer clean() + + reporter.DisplayReportURL() + require.NoError(t, capture.Close()) + + buf, err := os.ReadFile(capture.Name()) + require.NoError(t, err) + + require.NotEmpty(t, buf) + assert.Contains(t, string(buf), "WOW!") + assert.Contains(t, string(buf), "https://cloud.armosec.io/account/sign-up") + + t.Log(string(buf)) + }) +} + +func TestPrepareReport(t *testing.T) { + t.Parallel() + + t.Run("should keep the original scanning target it received and not mutate it", func(t *testing.T) { + testCases := []struct { + Name string + Want reporthandlingv2.ScanningTarget + }{ + {"Cluster", reporthandlingv2.Cluster}, + {"File", reporthandlingv2.File}, + {"Repo", reporthandlingv2.Repo}, + {"GitLocal", reporthandlingv2.GitLocal}, + {"Directory", reporthandlingv2.Directory}, + } + + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1e3ae7c4-a8bb-4d7c-9bdf-eb86bc25e6bb", + Token: "token", + ClusterName: "test", + }, + "", + SubmitContextScan, + ) + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + want := tc.Want + + opaSessionObj := &cautils.OPASessionObj{ + Report: &reporthandlingv2.PostureReport{}, + Metadata: &reporthandlingv2.Metadata{ + ScanMetadata: reporthandlingv2.ScanMetadata{ScanningTarget: want}, + }, + } + + reporter.prepareReport(opaSessionObj) + + got := opaSessionObj.Metadata.ScanMetadata.ScanningTarget + require.Equalf(t, want, got, + "Scanning targets don’t match after preparing report. Got: %v, want %v", got, want, + ) + }) + } + }) +} + +func TestSubmit(t *testing.T) { + ctx := context.Background() + srv := mockAPIServer(t) + t.Cleanup(srv.Close) + + t.Run("should submit simple report", func(t *testing.T) { + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1e3ae7c4-a8bb-4d7c-9bdf-eb86bc25e6bb", + Token: "", + ClusterName: "test", + }, + "cbabd56f-bac6-416a-836b-b815ef347647", + SubmitContextScan, + ) + + opaSession := mockOPASessionObj(t) + reporter.httpClient = hijackedClient(t, srv) // re-route the http client to our mock server, as this is not easily configurable in the reporter. + + require.NoError(t, + reporter.Submit(ctx, opaSession), + ) + }) + + t.Run("should warn when no customerGUID", func(t *testing.T) { + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + Token: "", + ClusterName: "test", + }, + "cbabd56f-bac6-416a-836b-b815ef347647", + SubmitContextScan, + ) + + opaSession := mockOPASessionObj(t) + reporter.httpClient = hijackedClient(t, srv) + + capture, clean := captureStderr(t) + if pretty, ok := logger.L().(*prettylogger.PrettyLogger); ok { + pretty.SetWriter(capture) + } + + defer func() { + clean() + if pretty, ok := logger.L().(*prettylogger.PrettyLogger); ok { + pretty.SetWriter(os.Stderr) + } + }() + + require.NoError(t, + reporter.Submit(ctx, opaSession), + ) + require.NoError(t, capture.Close()) + + buf, err := os.ReadFile(capture.Name()) + require.NoError(t, err) + + assert.Contains(t, string(buf), "failed to publish result") + assert.Contains(t, string(buf), "Unknown acc") + }) + + t.Run("should warn when no cluster name", func(t *testing.T) { + reporter := NewReportEventReceiver( + &cautils.ConfigObj{ + AccountID: "1e3ae7c4-a8bb-4d7c-9bdf-eb86bc25e6bb", + Token: "", + }, + "cbabd56f-bac6-416a-836b-b815ef347647", + SubmitContextScan, + ) + + opaSession := mockOPASessionObj(t) + opaSession.Metadata.ScanMetadata.ScanningTarget = reporthandlingv2.Cluster + + reporter.httpClient = hijackedClient(t, srv) + + capture, clean := captureStderr(t) + if pretty, ok := logger.L().(*prettylogger.PrettyLogger); ok { + pretty.SetWriter(capture) + } + + defer func() { + clean() + if pretty, ok := logger.L().(*prettylogger.PrettyLogger); ok { + pretty.SetWriter(os.Stderr) + } + }() + + require.NoError(t, + reporter.Submit(ctx, opaSession), + ) + require.NoError(t, capture.Close()) + + buf, err := os.ReadFile(capture.Name()) + require.NoError(t, err) + + assert.Contains(t, string(buf), "failed to publish result") + assert.Contains(t, string(buf), "cluster name") + }) +} + +func TestSetters(t *testing.T) { + t.Parallel() + + pickString := func() string { + return strconv.Itoa(rand.Intn(10000)) //nolint:gosec } reporter := NewReportEventReceiver( &cautils.ConfigObj{ - AccountID: "1e3ae7c4-a8bb-4d7c-9bdf-eb86bc25e6bb", - Token: "token", - ClusterName: "test", + AccountID: "1e3ae7c4-a8bb-4d7c-9bdf-eb86bc25e6bb", + Token: "", }, - "", + "cbabd56f-bac6-416a-836b-b815ef347647", SubmitContextScan, ) - for _, tc := range testCases { - t.Run(tc.Name, func(t *testing.T) { - want := tc.Want + t.Run("should set customerID", func(t *testing.T) { + guid := pickString() + reporter.SetCustomerGUID(guid) - opaSessionObj := &cautils.OPASessionObj{ - Report: &reporthandlingv2.PostureReport{}, - Metadata: &reporthandlingv2.Metadata{ - ScanMetadata: reporthandlingv2.ScanMetadata{ScanningTarget: want}, - }, - } + require.Equal(t, guid, reporter.customerGUID) + }) - reporter.prepareReport(opaSessionObj) + t.Run("should set cluster name", func(t *testing.T) { + cluster := pickString() + reporter.SetClusterName(cluster) - got := opaSessionObj.Metadata.ScanMetadata.ScanningTarget - if got != want { - t.Errorf("Scanning targets don’t match after preparing report. Got: %v, want %v", got, want) - } - }, - ) + require.Equal(t, cluster, reporter.clusterName) + }) + + t.Run("should normalize cluster name", func(t *testing.T) { + const cluster = " x y\t\tz" + reporter.SetClusterName(cluster) + + require.Equal(t, "-x-y-z", reporter.clusterName) + }) +} + +func captureStderr(t testing.TB) (*os.File, func()) { + mxStdio.Lock() + saved := os.Stderr + capture, err := os.CreateTemp("", "stderr") + if !assert.NoError(t, err) { + mxStdio.Unlock() + + t.FailNow() + + return nil, nil + } + os.Stderr = capture + + return capture, func() { + _ = capture.Close() + _ = os.Remove(capture.Name()) + + os.Stderr = saved + mxStdio.Unlock() } } diff --git a/core/pkg/resultshandling/reporter/v2/testdata/mock_opasessionobj.json b/core/pkg/resultshandling/reporter/v2/testdata/mock_opasessionobj.json new file mode 100644 index 00000000..777c282c --- /dev/null +++ b/core/pkg/resultshandling/reporter/v2/testdata/mock_opasessionobj.json @@ -0,0 +1,62772 @@ +{ + "K8SResources": { + "/v1/configmaps": [ + "/v1/backstage/ConfigMap/backstage-app-config", + "/v1/backstage/ConfigMap/backstage-app-env", + "/v1/backstage/ConfigMap/backstage-auth", + "/v1/backstage/ConfigMap/backstage-lighthouse", + "/v1/backstage/ConfigMap/backstage-postgres-ca", + "/v1/backstage/ConfigMap/kube-root-ca.crt", + "/v1/castai-agent/ConfigMap/castai-agent-autoscaler", + "/v1/castai-agent/ConfigMap/kube-root-ca.crt", + "/v1/cert-manager/ConfigMap/cert-manager-webhook", + "/v1/cert-manager/ConfigMap/kube-root-ca.crt", + "/v1/default/ConfigMap/arangodb-operator-feature-config-map", + "/v1/default/ConfigMap/kube-root-ca.crt", + "/v1/default/ConfigMap/kubescape", + "/v1/groundcover/ConfigMap/alligator-configuration", + "/v1/groundcover/ConfigMap/alligator-scrape-configuration", + "/v1/groundcover/ConfigMap/grafana-dashboards", + "/v1/groundcover/ConfigMap/grafana-dashboards-provisioning", + "/v1/groundcover/ConfigMap/grafana-datasources", + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-patroni", + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-pgbackrest", + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-scripts", + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-agent-config", + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-scrapeconfig", + "/v1/groundcover/ConfigMap/k8s-watcher-config", + "/v1/groundcover/ConfigMap/kube-root-ca.crt", + "/v1/groundcover/ConfigMap/portal-config", + "/v1/groundcover/ConfigMap/shepherd-config", + "/v1/groundcover/ConfigMap/tracy-conf-fg9h4chctk", + "/v1/harbor/ConfigMap/harbor-chartmuseum", + "/v1/harbor/ConfigMap/harbor-core", + "/v1/harbor/ConfigMap/harbor-jobservice", + "/v1/harbor/ConfigMap/harbor-jobservice-env", + "/v1/harbor/ConfigMap/harbor-portal", + "/v1/harbor/ConfigMap/harbor-registry", + "/v1/harbor/ConfigMap/harbor-registryctl", + "/v1/harbor/ConfigMap/kube-root-ca.crt", + "/v1/kube-node-lease/ConfigMap/kube-root-ca.crt", + "/v1/kube-public/ConfigMap/kube-root-ca.crt", + "/v1/kube-system/ConfigMap/cluster-autoscaler-status", + "/v1/kube-system/ConfigMap/cluster-kubestore", + "/v1/kube-system/ConfigMap/clustermetrics", + "/v1/kube-system/ConfigMap/extension-apiserver-authentication", + "/v1/kube-system/ConfigMap/gke-common-webhook-heartbeat", + "/v1/kube-system/ConfigMap/gke-common-webhook-lock", + "/v1/kube-system/ConfigMap/ingress-gce-lock", + "/v1/kube-system/ConfigMap/ingress-uid", + "/v1/kube-system/ConfigMap/konnectivity-agent-autoscaler-config", + "/v1/kube-system/ConfigMap/kube-dns", + "/v1/kube-system/ConfigMap/kube-dns-autoscaler", + "/v1/kube-system/ConfigMap/kube-root-ca.crt", + "/v1/kube-system/ConfigMap/kubedns-config-images", + "/v1/kube-system/ConfigMap/metadata-agent-config", + "/v1/kube-system/ConfigMap/metrics-server-config", + "/v1/kubescape/ConfigMap/host-scanner-definition", + "/v1/kubescape/ConfigMap/ks-cloud-config", + "/v1/kubescape/ConfigMap/kube-root-ca.crt", + "/v1/kubescape/ConfigMap/kubescape-config", + "/v1/kubescape/ConfigMap/kubescape-cronjob-template", + "/v1/kubescape/ConfigMap/kubescape-scheduler", + "/v1/kubescape/ConfigMap/kubevuln-cronjob-template", + "/v1/kubescape/ConfigMap/kubevuln-scheduler", + "/v1/kubescape/ConfigMap/otel-collector-config", + "/v1/kubescape/ConfigMap/registry-scan-cronjob-template", + "/v1/systest-ns-p7rn/ConfigMap/kube-root-ca.crt", + "/v1/test-vlun-ubuntu/ConfigMap/kube-root-ca.crt" + ], + "/v1/namespaces": [ + "/v1//Namespace/backstage", + "/v1//Namespace/castai-agent", + "/v1//Namespace/cert-manager", + "/v1//Namespace/default", + "/v1//Namespace/groundcover", + "/v1//Namespace/harbor", + "/v1//Namespace/kube-node-lease", + "/v1//Namespace/kube-public", + "/v1//Namespace/kube-system", + "/v1//Namespace/kubescape", + "/v1//Namespace/mysql-demos", + "/v1//Namespace/systest-ns-p7rn", + "/v1//Namespace/test-vlun-ubuntu" + ], + "/v1/nodes": [ + "/v1//Node/gke-cluster-mock-pool-2-65de223a-0mjl", + "/v1//Node/gke-cluster-mock-pool-2-65de223a-8q2q", + "/v1//Node/gke-cluster-mock-pool-2-65de223a-cw39", + "/v1//Node/gke-cluster-mock-pool-2-65de223a-gqix", + "/v1//Node/gke-cluster-mock-pool-2-65de223a-rgbb", + "/v1//Node/gke-cluster-mock-pool-2-65de223a-zesg", + "/v1//Node/gke-cluster-mock-pool-3-005b69ef-l4ig" + ], + "/v1/pods": [ + "/v1/backstage/Pod/backstage-backend-5ffdfcf8db-8bfpg", + "/v1/backstage/Pod/backstage-frontend-77b9d6fdb7-xqfxj", + "/v1/backstage/Pod/backstage-lighthouse-549dfb8f45-whlcj", + "/v1/backstage/Pod/backstage-postgresql-0", + "/v1/castai-agent/Pod/castai-agent-cpvpa-84d84596b6-qcpsm", + "/v1/cert-manager/Pod/cert-manager-6b4d84674-2phwh", + "/v1/cert-manager/Pod/cert-manager-cainjector-59f8d9f696-v65cv", + "/v1/cert-manager/Pod/cert-manager-webhook-56889bfc96-z6lqk", + "/v1/default/Pod/arango-deployment-operator-859c44db69-kfvkx", + "/v1/default/Pod/arango-deployment-operator-859c44db69-lx989", + "/v1/default/Pod/arango-storage-operator-9b4679bcf-qf775", + "/v1/default/Pod/arango-storage-operator-9b4679bcf-xfxf4", + "/v1/default/Pod/busybox", + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2", + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2", + "/v1/default/Pod/nginx-deployment-9456bbbf9-sfwd9", + "/v1/default/Pod/nginx-deployment-9456bbbf9-sg2h6", + "/v1/default/Pod/nginx-deployment-9456bbbf9-sq2fg", + "/v1/groundcover/Pod/alligator-8hb2t", + "/v1/groundcover/Pod/alligator-b64xx", + "/v1/groundcover/Pod/alligator-bdrnm", + "/v1/groundcover/Pod/alligator-hlbwk", + "/v1/groundcover/Pod/alligator-hs2z6", + "/v1/groundcover/Pod/alligator-mnrrf", + "/v1/groundcover/Pod/alligator-tpz85", + "/v1/groundcover/Pod/grafana-d88f9d644-4dvmb", + "/v1/groundcover/Pod/groundcover-groundcover-loki-0", + "/v1/groundcover/Pod/groundcover-groundcover-tsdb-0", + "/v1/groundcover/Pod/groundcover-promscale-575757f98f-xl4lm", + "/v1/groundcover/Pod/groundcover-victoria-metrics-0", + "/v1/groundcover/Pod/groundcover-victoria-metrics-agent-64c79df6d4-scbtt", + "/v1/groundcover/Pod/k8s-watcher-6f87446b4d-mp4mb", + "/v1/groundcover/Pod/portal-7d9c7c584-gp7q7", + "/v1/groundcover/Pod/shepherd-7f67c966fb-s4gfn", + "/v1/harbor/Pod/harbor-chartmuseum-fdb57b5dd-lchbx", + "/v1/harbor/Pod/harbor-core-5c4874d64-7khzj", + "/v1/harbor/Pod/harbor-database-0", + "/v1/harbor/Pod/harbor-jobservice-c59667f55-t2rf5", + "/v1/harbor/Pod/harbor-notary-server-6cf7c888c5-xskqg", + "/v1/harbor/Pod/harbor-notary-signer-7b54b8cbfd-27jkf", + "/v1/harbor/Pod/harbor-portal-6fdc5d74bf-jwxjl", + "/v1/harbor/Pod/harbor-redis-0", + "/v1/harbor/Pod/harbor-registry-6bddbf7649-xsbjx", + "/v1/harbor/Pod/harbor-trivy-0", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-2lvpw", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-7ptgj", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-9r7r4", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-dchpw", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-p4bg5", + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-thrh8", + "/v1/kube-system/Pod/konnectivity-agent-autoscaler-566966775b-7t2hd", + "/v1/kube-system/Pod/kube-dns-674789b66b-7rd27", + "/v1/kube-system/Pod/kube-dns-674789b66b-p2j5c", + "/v1/kube-system/Pod/kube-dns-autoscaler-fbc66b884-tx8wd", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-0mjl", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-8q2q", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-cw39", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-gqix", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-rgbb", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-zesg", + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-3-005b69ef-l4ig", + "/v1/kube-system/Pod/l7-default-backend-6dc845c45d-bg5rc", + "/v1/kube-system/Pod/metrics-server-v0.5.2-6fd865649-q9s2s", + "/v1/kube-system/Pod/pdcsi-node-2rlrk", + "/v1/kube-system/Pod/pdcsi-node-5ctlr", + "/v1/kube-system/Pod/pdcsi-node-5rb82", + "/v1/kube-system/Pod/pdcsi-node-9cbwp", + "/v1/kube-system/Pod/pdcsi-node-gcdjb", + "/v1/kube-system/Pod/pdcsi-node-pj2fn", + "/v1/kube-system/Pod/pdcsi-node-qrxr9", + "/v1/kubescape/Pod/gateway-6bf8c66fd4-46mx2", + "/v1/kubescape/Pod/kollector-0", + "/v1/kubescape/Pod/kubescape-6685bbcbbb-7cfm8", + "/v1/kubescape/Pod/kubescape-scheduler-27964695-zfcdn", + "/v1/kubescape/Pod/kubescape-scheduler-27966135-q6jf8", + "/v1/kubescape/Pod/kubescape-scheduler-27967575-9swgz", + "/v1/kubescape/Pod/kubevuln-78c5c7f67f-dm6vt", + "/v1/kubescape/Pod/kubevuln-scheduler-27965414-jg2s4", + "/v1/kubescape/Pod/kubevuln-scheduler-27966854-7psjx", + "/v1/kubescape/Pod/kubevuln-scheduler-27968294-njg4n", + "/v1/kubescape/Pod/operator-677c97d54f-gwm8k", + "/v1/mysql-demos/Pod/mycluster-0", + "/v1/test-vlun-ubuntu/Pod/ubuntu-16-6989d75886-769cx", + "/v1/test-vlun-ubuntu/Pod/ubuntu-latest-7dbdbb545b-smffz" + ], + "/v1/serviceaccounts": [ + "/v1/backstage/ServiceAccount/default", + "/v1/castai-agent/ServiceAccount/castai-agent", + "/v1/castai-agent/ServiceAccount/default", + "/v1/cert-manager/ServiceAccount/cert-manager", + "/v1/cert-manager/ServiceAccount/cert-manager-cainjector", + "/v1/cert-manager/ServiceAccount/cert-manager-webhook", + "/v1/cert-manager/ServiceAccount/default", + "/v1/default/ServiceAccount/arango-deployment-operator", + "/v1/default/ServiceAccount/arango-storage-operator", + "/v1/default/ServiceAccount/default", + "/v1/default/ServiceAccount/mysql-sidecar-sa", + "/v1/groundcover/ServiceAccount/alligator", + "/v1/groundcover/ServiceAccount/default", + "/v1/groundcover/ServiceAccount/grafana", + "/v1/groundcover/ServiceAccount/groundcover-groundcover-loki", + "/v1/groundcover/ServiceAccount/groundcover-groundcover-tsdb", + "/v1/groundcover/ServiceAccount/groundcover-promscale", + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-agent", + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-single", + "/v1/groundcover/ServiceAccount/k8s-watcher", + "/v1/groundcover/ServiceAccount/migrator", + "/v1/groundcover/ServiceAccount/portal", + "/v1/groundcover/ServiceAccount/shepherd", + "/v1/harbor/ServiceAccount/default", + "/v1/kube-node-lease/ServiceAccount/default", + "/v1/kube-public/ServiceAccount/default", + "/v1/kube-system/ServiceAccount/attachdetach-controller", + "/v1/kube-system/ServiceAccount/certificate-controller", + "/v1/kube-system/ServiceAccount/cloud-provider", + "/v1/kube-system/ServiceAccount/clusterrole-aggregation-controller", + "/v1/kube-system/ServiceAccount/cronjob-controller", + "/v1/kube-system/ServiceAccount/daemon-set-controller", + "/v1/kube-system/ServiceAccount/default", + "/v1/kube-system/ServiceAccount/deployment-controller", + "/v1/kube-system/ServiceAccount/disruption-controller", + "/v1/kube-system/ServiceAccount/endpoint-controller", + "/v1/kube-system/ServiceAccount/endpointslice-controller", + "/v1/kube-system/ServiceAccount/endpointslicemirroring-controller", + "/v1/kube-system/ServiceAccount/ephemeral-volume-controller", + "/v1/kube-system/ServiceAccount/event-exporter-sa", + "/v1/kube-system/ServiceAccount/expand-controller", + "/v1/kube-system/ServiceAccount/fluentbit-gke", + "/v1/kube-system/ServiceAccount/generic-garbage-collector", + "/v1/kube-system/ServiceAccount/gke-metrics-agent", + "/v1/kube-system/ServiceAccount/job-controller", + "/v1/kube-system/ServiceAccount/konnectivity-agent", + "/v1/kube-system/ServiceAccount/konnectivity-agent-cpha", + "/v1/kube-system/ServiceAccount/kube-dns", + "/v1/kube-system/ServiceAccount/kube-dns-autoscaler", + "/v1/kube-system/ServiceAccount/kube-proxy", + "/v1/kube-system/ServiceAccount/metadata-agent", + "/v1/kube-system/ServiceAccount/metadata-proxy", + "/v1/kube-system/ServiceAccount/metrics-server", + "/v1/kube-system/ServiceAccount/namespace-controller", + "/v1/kube-system/ServiceAccount/node-controller", + "/v1/kube-system/ServiceAccount/pdcsi-node-sa", + "/v1/kube-system/ServiceAccount/persistent-volume-binder", + "/v1/kube-system/ServiceAccount/pod-garbage-collector", + "/v1/kube-system/ServiceAccount/pv-protection-controller", + "/v1/kube-system/ServiceAccount/pvc-protection-controller", + "/v1/kube-system/ServiceAccount/replicaset-controller", + "/v1/kube-system/ServiceAccount/replication-controller", + "/v1/kube-system/ServiceAccount/resourcequota-controller", + "/v1/kube-system/ServiceAccount/root-ca-cert-publisher", + "/v1/kube-system/ServiceAccount/service-account-controller", + "/v1/kube-system/ServiceAccount/service-controller", + "/v1/kube-system/ServiceAccount/statefulset-controller", + "/v1/kube-system/ServiceAccount/ttl-after-finished-controller", + "/v1/kube-system/ServiceAccount/ttl-controller", + "/v1/kubescape/ServiceAccount/default", + "/v1/kubescape/ServiceAccount/ks-sa", + "/v1/kubescape/ServiceAccount/kubescape-sa", + "/v1/systest-ns-p7rn/ServiceAccount/default", + "/v1/test-vlun-ubuntu/ServiceAccount/default" + ], + "apps/v1/daemonsets": [ + "apps/v1/groundcover/DaemonSet/alligator", + "apps/v1/kube-system/DaemonSet/kube-proxy", + "apps/v1/kube-system/DaemonSet/metadata-proxy-v0.1", + "apps/v1/kube-system/DaemonSet/nccl-fastsocket-installer", + "apps/v1/kube-system/DaemonSet/nvidia-gpu-device-plugin", + "apps/v1/kube-system/DaemonSet/pdcsi-node", + "apps/v1/kube-system/DaemonSet/pdcsi-node-windows" + ], + "apps/v1/deployments": [ + "apps/v1/backstage/Deployment/backstage-backend", + "apps/v1/backstage/Deployment/backstage-frontend", + "apps/v1/backstage/Deployment/backstage-lighthouse", + "apps/v1/castai-agent/Deployment/castai-agent-cpvpa", + "apps/v1/cert-manager/Deployment/cert-manager", + "apps/v1/cert-manager/Deployment/cert-manager-cainjector", + "apps/v1/cert-manager/Deployment/cert-manager-webhook", + "apps/v1/default/Deployment/arango-deployment-operator", + "apps/v1/default/Deployment/arango-storage-operator", + "apps/v1/default/Deployment/nginx-deployment", + "apps/v1/groundcover/Deployment/grafana", + "apps/v1/groundcover/Deployment/groundcover-promscale", + "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent", + "apps/v1/groundcover/Deployment/k8s-watcher", + "apps/v1/groundcover/Deployment/portal", + "apps/v1/groundcover/Deployment/shepherd", + "apps/v1/harbor/Deployment/harbor-chartmuseum", + "apps/v1/harbor/Deployment/harbor-core", + "apps/v1/harbor/Deployment/harbor-jobservice", + "apps/v1/harbor/Deployment/harbor-notary-server", + "apps/v1/harbor/Deployment/harbor-notary-signer", + "apps/v1/harbor/Deployment/harbor-portal", + "apps/v1/harbor/Deployment/harbor-registry", + "apps/v1/kube-system/Deployment/konnectivity-agent", + "apps/v1/kube-system/Deployment/konnectivity-agent-autoscaler", + "apps/v1/kube-system/Deployment/kube-dns", + "apps/v1/kube-system/Deployment/kube-dns-autoscaler", + "apps/v1/kube-system/Deployment/l7-default-backend", + "apps/v1/kube-system/Deployment/metrics-server-v0.5.2", + "apps/v1/kubescape/Deployment/gateway", + "apps/v1/kubescape/Deployment/kubescape", + "apps/v1/kubescape/Deployment/kubevuln", + "apps/v1/kubescape/Deployment/operator", + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16", + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest" + ], + "apps/v1/replicasets": [ + "apps/v1/backstage/ReplicaSet/backstage-backend-5ffdfcf8db", + "apps/v1/backstage/ReplicaSet/backstage-frontend-77b9d6fdb7", + "apps/v1/backstage/ReplicaSet/backstage-lighthouse-549dfb8f45", + "apps/v1/castai-agent/ReplicaSet/castai-agent-cpvpa-84d84596b6", + "apps/v1/cert-manager/ReplicaSet/cert-manager-6b4d84674", + "apps/v1/cert-manager/ReplicaSet/cert-manager-cainjector-59f8d9f696", + "apps/v1/cert-manager/ReplicaSet/cert-manager-webhook-56889bfc96", + "apps/v1/default/ReplicaSet/arango-deployment-operator-859c44db69", + "apps/v1/default/ReplicaSet/arango-storage-operator-9b4679bcf", + "apps/v1/default/ReplicaSet/nginx-deployment-9456bbbf9", + "apps/v1/groundcover/ReplicaSet/grafana-d88f9d644", + "apps/v1/groundcover/ReplicaSet/groundcover-promscale-575757f98f", + "apps/v1/groundcover/ReplicaSet/groundcover-promscale-85997f487b", + "apps/v1/groundcover/ReplicaSet/groundcover-victoria-metrics-agent-64c79df6d4", + "apps/v1/groundcover/ReplicaSet/groundcover-victoria-metrics-agent-776dd65b9b", + "apps/v1/groundcover/ReplicaSet/k8s-watcher-6f87446b4d", + "apps/v1/groundcover/ReplicaSet/portal-7d9c7c584", + "apps/v1/groundcover/ReplicaSet/shepherd-7f67c966fb", + "apps/v1/harbor/ReplicaSet/harbor-chartmuseum-fdb57b5dd", + "apps/v1/harbor/ReplicaSet/harbor-core-5c4874d64", + "apps/v1/harbor/ReplicaSet/harbor-jobservice-c59667f55", + "apps/v1/harbor/ReplicaSet/harbor-notary-server-6cf7c888c5", + "apps/v1/harbor/ReplicaSet/harbor-notary-signer-7b54b8cbfd", + "apps/v1/harbor/ReplicaSet/harbor-portal-6fdc5d74bf", + "apps/v1/harbor/ReplicaSet/harbor-registry-6bddbf7649", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-5c87974869", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-5d944f784d", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-67b9847bc8", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-6d6949887f", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-78d544c7ff", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-79486bdd68", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-7c886949f5", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-89948b6b7", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-566966775b", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-5c49cb58bb", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6b86f667c9", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6cb774c9cc", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6dfb4f9cfb", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-7fd5dd4f5", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-84559799b7", + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-ddccb8b95", + "apps/v1/kube-system/ReplicaSet/kube-dns-56646bfd69", + "apps/v1/kube-system/ReplicaSet/kube-dns-59844ff879", + "apps/v1/kube-system/ReplicaSet/kube-dns-599484b884", + "apps/v1/kube-system/ReplicaSet/kube-dns-674789b66b", + "apps/v1/kube-system/ReplicaSet/kube-dns-6b85cc8b45", + "apps/v1/kube-system/ReplicaSet/kube-dns-6c7b8dc9f9", + "apps/v1/kube-system/ReplicaSet/kube-dns-758c7ff655", + "apps/v1/kube-system/ReplicaSet/kube-dns-79c57c8c9b", + "apps/v1/kube-system/ReplicaSet/kube-dns-7d774598cf", + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-58cbd4f75c", + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-844c9d9448", + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-f4d55555", + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-fbc66b884", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-5465dfc4ff", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-56cb9644f6", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-58fd4695c8", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6654b9bccb", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-66579f5d7", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-69fb9fd9f9", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6b99559c7d", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6dc845c45d", + "apps/v1/kube-system/ReplicaSet/l7-default-backend-865b4c8f8b", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-596b8679b7", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-6fd865649", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-7945948f4b", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-866bc7fbf8", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-86b46dfdc4", + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-9b67f66b8", + "apps/v1/kubescape/ReplicaSet/gateway-6bf8c66fd4", + "apps/v1/kubescape/ReplicaSet/kubescape-6685bbcbbb", + "apps/v1/kubescape/ReplicaSet/kubevuln-78c5c7f67f", + "apps/v1/kubescape/ReplicaSet/operator-677c97d54f", + "apps/v1/test-vlun-ubuntu/ReplicaSet/ubuntu-16-6989d75886", + "apps/v1/test-vlun-ubuntu/ReplicaSet/ubuntu-latest-7dbdbb545b" + ], + "apps/v1/statefulsets": [ + "apps/v1/backstage/StatefulSet/backstage-postgresql", + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki", + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb", + "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics", + "apps/v1/harbor/StatefulSet/harbor-database", + "apps/v1/harbor/StatefulSet/harbor-redis", + "apps/v1/harbor/StatefulSet/harbor-trivy", + "apps/v1/kubescape/StatefulSet/kollector" + ], + "batch/v1/cronjobs": [ + "batch/v1/kubescape/CronJob/kubescape-scheduler", + "batch/v1/kubescape/CronJob/kubevuln-scheduler" + ], + "batch/v1/jobs": [ + "batch/v1/kubescape/Job/kubescape-scheduler-27964695", + "batch/v1/kubescape/Job/kubescape-scheduler-27966135", + "batch/v1/kubescape/Job/kubescape-scheduler-27967575", + "batch/v1/kubescape/Job/kubevuln-scheduler-27965414", + "batch/v1/kubescape/Job/kubevuln-scheduler-27966854", + "batch/v1/kubescape/Job/kubevuln-scheduler-27968294" + ], + "networking.k8s.io/v1/networkpolicies": [], + "policy/v1beta1/podsecuritypolicies": [ + "policy/v1beta1//PodSecurityPolicy/gce.gke-metrics-agent", + "policy/v1beta1//PodSecurityPolicy/groundcover", + "policy/v1beta1//PodSecurityPolicy/groundcover-alligator", + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-loki", + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-tsdb", + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-agent", + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-single" + ], + "rbac.authorization.k8s.io/v1/clusterrolebindings": [ + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-crd", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-deployment", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-crd", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-storage", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/armo-scanner-service-account-role-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-controller-role-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-cr", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/castai-agent", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-cainjector", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificates", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificatesigningrequests", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-challenges", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-clusterissuers", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-ingress-shim", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-issuers", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-orders", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-admin", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler-updateinfo", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/event-exporter-rb", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-bootstrap", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-rotation", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:cloud-provider", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gke-metrics-agent", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/konnectivity-agent-cpha", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ks-sa-role-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kube-apiserver-kubelet-api-admin", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-certificate-bootstrap", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-node-bootstrapper", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-cluster-admin", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-user-npd-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sa-role-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sneeffer-role-binding-container-profiling", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/master-monitoring-role-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/metrics-server:system:auth-delegator", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/mysql-operator-rolebinding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/npd-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-attacher-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-provisioner-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-resizer-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-snapshotter-binding", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/snapshot-controller-role", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/stackdriver:metadata-agent", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-crd-creator", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-initializer", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-migrator-v2", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-trigger", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:basic-user", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:clustermetrics", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:certificate-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:cronjob-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:daemon-set-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:deployment-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:disruption-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpoint-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslice-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslicemirroring-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ephemeral-volume-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:expand-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:generic-garbage-collector", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:glbc", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:horizontal-pod-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:job-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:namespace-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:node-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:persistent-volume-binder", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pod-garbage-collector", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pv-protection-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pvc-protection-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replicaset-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replication-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:resourcequota-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:root-ca-cert-publisher", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:route-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-account-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:statefulset-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-after-finished-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:discovery", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gcp-controller-manager", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-common-webhooks", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-actor", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-service-reader", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-healthcheck", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-resourcequota", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-collection-reader", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-hpa-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-metrics-reader", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:konnectivity-server", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-controller-manager", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-proxy", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-scheduler", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kubestore-collector", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:managed-certificate-controller", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:metrics-server", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:monitoring", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node-proxier", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:resource-tracker", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:service-account-issuer-discovery", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:slo-monitor", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:volume-scheduler", + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/uas-hpa-external-metrics-reader" + ], + "rbac.authorization.k8s.io/v1/clusterroles": [ + "rbac.authorization.k8s.io/v1//ClusterRole/admin", + "rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-crd", + "rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-deployment", + "rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-crd", + "rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-storage", + "rbac.authorization.k8s.io/v1//ClusterRole/armo-scanner-service-account-roles", + "rbac.authorization.k8s.io/v1//ClusterRole/ca-controller-roles", + "rbac.authorization.k8s.io/v1//ClusterRole/ca-cr-actor", + "rbac.authorization.k8s.io/v1//ClusterRole/castai-agent", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-cainjector", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-approve:cert-manager-io", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificates", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificatesigningrequests", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-challenges", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-clusterissuers", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-ingress-shim", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-issuers", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-orders", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-edit", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-view", + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-webhook:subjectaccessreviews", + "rbac.authorization.k8s.io/v1//ClusterRole/cloud-provider", + "rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin", + "rbac.authorization.k8s.io/v1//ClusterRole/cluster-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRole/edit", + "rbac.authorization.k8s.io/v1//ClusterRole/external-metrics-reader", + "rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap", + "rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-rotation", + "rbac.authorization.k8s.io/v1//ClusterRole/gce:cloud-provider", + "rbac.authorization.k8s.io/v1//ClusterRole/gke-metrics-agent", + "rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher", + "rbac.authorization.k8s.io/v1//ClusterRole/konnectivity-agent-cpha", + "rbac.authorization.k8s.io/v1//ClusterRole/ks-sa-roles", + "rbac.authorization.k8s.io/v1//ClusterRole/kubelet-api-admin", + "rbac.authorization.k8s.io/v1//ClusterRole/kubescape-sa-roles", + "rbac.authorization.k8s.io/v1//ClusterRole/mysql-operator", + "rbac.authorization.k8s.io/v1//ClusterRole/mysql-sidecar", + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-attacher-role", + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-provisioner-role", + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-resizer-role", + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-snapshotter-role", + "rbac.authorization.k8s.io/v1//ClusterRole/read-updateinfo", + "rbac.authorization.k8s.io/v1//ClusterRole/snapshot-controller-runner", + "rbac.authorization.k8s.io/v1//ClusterRole/stackdriver:metadata-agent", + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-crd-creator", + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-initializer", + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-trigger", + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-admin", + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-edit", + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-view", + "rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator", + "rbac.authorization.k8s.io/v1//ClusterRole/system:basic-user", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kube-apiserver-client-approver", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kube-apiserver-client-kubelet-approver", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kubelet-serving-approver", + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:legacy-unknown-approver", + "rbac.authorization.k8s.io/v1//ClusterRole/system:clustermetrics", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:certificate-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:clusterrole-aggregation-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:cronjob-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:daemon-set-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:deployment-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:disruption-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpoint-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslice-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslicemirroring-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ephemeral-volume-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:expand-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:generic-garbage-collector", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:glbc", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:job-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:namespace-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:node-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:persistent-volume-binder", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pod-garbage-collector", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pv-protection-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pvc-protection-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replicaset-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replication-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:resourcequota-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:root-ca-cert-publisher", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:route-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-account-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:statefulset-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-after-finished-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:discovery", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gcp-controller-manager", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-common-webhooks", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-actor", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-service-reader", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-healthcheck", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-resourcequota", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-collection-reader", + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-metrics-reader", + "rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status", + "rbac.authorization.k8s.io/v1//ClusterRole/system:heapster", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-aggregator", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-controller-manager", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns-autoscaler", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-scheduler", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kubelet-api-admin", + "rbac.authorization.k8s.io/v1//ClusterRole/system:kubestore-collector", + "rbac.authorization.k8s.io/v1//ClusterRole/system:managed-certificate-controller", + "rbac.authorization.k8s.io/v1//ClusterRole/system:master-monitoring-role", + "rbac.authorization.k8s.io/v1//ClusterRole/system:metrics-server", + "rbac.authorization.k8s.io/v1//ClusterRole/system:monitoring", + "rbac.authorization.k8s.io/v1//ClusterRole/system:node", + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper", + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector", + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier", + "rbac.authorization.k8s.io/v1//ClusterRole/system:persistent-volume-provisioner", + "rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer", + "rbac.authorization.k8s.io/v1//ClusterRole/system:resource-tracker", + "rbac.authorization.k8s.io/v1//ClusterRole/system:service-account-issuer-discovery", + "rbac.authorization.k8s.io/v1//ClusterRole/system:slo-monitor", + "rbac.authorization.k8s.io/v1//ClusterRole/system:volume-scheduler", + "rbac.authorization.k8s.io/v1//ClusterRole/view" + ], + "rbac.authorization.k8s.io/v1/rolebindings": [ + "rbac.authorization.k8s.io/v1/castai-agent/RoleBinding/castai-agent", + "rbac.authorization.k8s.io/v1/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving", + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-default", + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-deployment", + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-storage-operator-rbac-storage", + "rbac.authorization.k8s.io/v1/default/RoleBinding/read-pods", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/alligator", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-loki", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-tsdb", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-agent-rolebinding", + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-single", + "rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager-cainjector:leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager:leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:cloud-provider", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:podsecuritypolicy:pdcsi-node-sa", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/konnectivity-agent-cpha", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/metrics-server-auth-reader", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/pdcsi-leaderelection-binding", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/snapshot-controller-leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:cloud-provider", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:glbc", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:token-cleaner", + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election", + "rbac.authorization.k8s.io/v1/kubescape/RoleBinding/ks-sa-role-binding" + ], + "rbac.authorization.k8s.io/v1/roles": [ + "rbac.authorization.k8s.io/v1/castai-agent/Role/castai-agent", + "rbac.authorization.k8s.io/v1/cert-manager/Role/cert-manager-webhook:dynamic-serving", + "rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-default", + "rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-deployment", + "rbac.authorization.k8s.io/v1/default/Role/arango-storage-operator-rbac-storage", + "rbac.authorization.k8s.io/v1/groundcover/Role/alligator", + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover", + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-loki", + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-tsdb", + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-agent-role", + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-single", + "rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer", + "rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager-cainjector:leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager:leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/Role/cloud-provider", + "rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader", + "rbac.authorization.k8s.io/v1/kube-system/Role/gce:cloud-provider", + "rbac.authorization.k8s.io/v1/kube-system/Role/konnectivity-agent-cpha", + "rbac.authorization.k8s.io/v1/kube-system/Role/pdcsi-leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/Role/snapshot-controller-leaderelection", + "rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager", + "rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler", + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer", + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:cloud-provider", + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:glbc", + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:token-cleaner", + "rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election", + "rbac.authorization.k8s.io/v1/kubescape/Role/ks-sa-roles" + ] + }, + "ArmoResource": { + "container.googleapis.com/v1/ClusterDescribe": [ + "container.googleapis.com/v1/ClusterDescribe/cluster-mock" + ], + "eks.amazonaws.com/v1/ClusterDescribe": null, + "hostdata.kubescape.cloud/v1beta0/KubeletCommandLine": null, + "hostdata.kubescape.cloud/v1beta0/KubeletConfiguration": null, + "hostdata.kubescape.cloud/v1beta0/KubeletInfo": null + }, + "AllPolicies": { + "Controls": { + "C-0002": { + "guid": "", + "name": "Exec into container", + "attributes": { + "armoBuiltin": true, + "controlTypeTags": [ + "compliance", + "security-impact" + ], + "microsoftMitreColumns": [ + "Execution" + ], + "rbacQuery": "Show who can access into pods" + }, + "controlID": "C-0002", + "creationTime": "", + "description": "Attackers with relevant permissions can run malicious commands in the context of legitimate containers in the cluster using “kubectl exec” command. This control determines which subjects have permissions to use this command.", + "remediation": "It is recommended to prohibit “kubectl exec” command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", + "rules": [ + { + "guid": "", + "name": "exec-into-container-v1", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::Exec into container", + "resourcesAggregator": "subject-role-rolebinding", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# input: regoResponseVectorObject\n# returns subjects that can exec into container\n\ndeny[msga] {\n\tsubjectVector := input[_]\n\trole := subjectVector.relatedObjects[i]\n\trolebinding := subjectVector.relatedObjects[j]\n\tendswith(role.kind, \"Role\")\n\tendswith(rolebinding.kind, \"Binding\")\n\n\trule := role.rules[p]\n\n\tsubject := rolebinding.subjects[k]\n\tis_same_subjects(subjectVector, subject)\n\n\trule_path := sprintf(\"relatedObjects[%d].rules[%d]\", [i, p])\n\n\tverbs := [\"create\", \"*\"]\n\tverb_path := [sprintf(\"%s.verbs[%d]\", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]\n\tcount(verb_path) \u003e 0\n\n\tapi_groups := [\"\", \"*\"]\n\tapi_groups_path := [sprintf(\"%s.apiGroups[%d]\", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]\n\tcount(api_groups_path) \u003e 0\n\n\tresources := [\"pods/exec\", \"pods/*\", \"*\"]\n\tresources_path := [sprintf(\"%s.resources[%d]\", [rule_path, l]) | resource = rule.resources[l]; resource in resources]\n\tcount(resources_path) \u003e 0\n\n\tpath := array.concat(resources_path, verb_path)\n\tpath2 := array.concat(path, api_groups_path)\n\tfinalpath := array.concat(path2, [\n\t\tsprintf(\"relatedObjects[%d].subjects[%d]\", [j, k]),\n\t\tsprintf(\"relatedObjects[%d].roleRef.name\", [j]),\n\t])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Subject: %s-%s can exec into containers\", [subjectVector.kind, subjectVector.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": finalpath,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": subjectVector,\n\t\t},\n\t}\n}\n\n# for service accounts\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.namespace == subject.namespace\n}\n\n# for users/ groups\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.apiGroup == subject.apiGroup\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines which users have permissions to exec into pods", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 5 + }, + "C-0005": { + "guid": "", + "name": "API server insecure port is enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0005", + "creationTime": "", + "description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.", + "remediation": "Set the insecure-port flag of the API server to zero.", + "rules": [ + { + "guid": "", + "name": "insecure-port-flag", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.cautils as cautils\n\n# Fails if pod has insecure-port flag enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontains(pod.metadata.name, \"kube-apiserver\")\n container := pod.spec.containers[i]\n\tpath = is_insecure_port_flag(container, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"The API server container: %v has insecure-port flag enabled\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\t\nis_insecure_port_flag(container, i) = path {\n\tcommand := container.command[j]\n\tcontains(command, \"--insecure-port=1\")\n\tpath := sprintf(\"spec.containers[%v].command[%v]\", [format_int(i, 10), format_int(j, 10)])\n}", + "resourceEnumerator": "package armo_builtins\nimport data.cautils as cautils\n\n# Fails if pod has insecure-port flag enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontains(pod.metadata.name, \"kube-apiserver\")\n container := pod.spec.containers[_]\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"The API server container: %v has insecure-port flag enabled\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [\"\"],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if the api server has insecure-port enabled", + "remediation": "Make sure that the insecure-port flag of the api server is set to 0", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 9 + }, + "C-0009": { + "guid": "", + "name": "Resource limits", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Impact - service destruction" + ] + } + ], + "controlTypeTags": [ + "security" + ] + }, + "controlID": "C-0009", + "creationTime": "", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "rules": [ + { + "guid": "", + "name": "resource-policies", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if container has limits\ndeny[msga] {\n \tpods := [pod | pod = input[_]; pod.kind == \"Pod\"]\n pod := pods[_]\n\tcontainer := pod.spec.containers[i]\n\t\n\t\n\tbeggining_of_path := \"spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Check if container has limits - for workloads\n# If there is no limits specified in the workload, we check the namespace, since if limits are only specified for namespace\n# and not in workload, it won't be on the yaml\ndeny[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\t\n\tbeggining_of_path\t:= \"spec.template.spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\t\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n\t\n}\n\n# Check if container has limits - for cronjobs\n# If there is no limits specified in the cronjob, we check the namespace, since if limits are only specified for namespace\n# and not in cronjob, it won't be on the yaml\ndeny [msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\t\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# no limits at all\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tnot container.resources.limits\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}, {\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}\n\n# only memory limit\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.cpu\n\tcontainer.resources.limits.memory\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}\n\n# only cpu limit\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) =fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.memory\n\tcontainer.resources.limits.cpu\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n\tfailed_path = \"\"\n}\n# limits but without capu and memory \nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.memory\n\tnot container.resources.limits.cpu\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}, {\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if namespace has no resource policies defined", + "remediation": "Make sure that you definy resource policies (LimitRange or ResourceQuota) which limit the usage of resources for all the namespaces", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + "C-0012": { + "guid": "", + "name": "Applications credentials in configuration files", + "attributes": { + "actionRequired": "configuration", + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Credential access" + ] + }, + { + "attackTrack": "container", + "categories": [ + "Credential access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance", + "security-impact" + ], + "microsoftMitreColumns": [ + "Credential access", + "Lateral Movement" + ] + }, + "controlID": "C-0012", + "creationTime": "", + "description": "Attackers who have access to configuration files can steal the stored secrets and use them. This control checks if ConfigMaps or pod specifications have sensitive information in their configuration.", + "remediation": "Use Kubernetes secrets or Key Management Systems to store credentials.", + "rules": [ + { + "guid": "", + "name": "rule-credentials-in-env-var", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" + }, + "creationTime": "", + "rule": "\tpackage armo_builtins\n\t# import data.cautils as cautils\n\t# import data.kubernetes.api.client as client\n\timport data\n\n\tdeny[msga] {\n\t\tpod := input[_]\n\t\tpod.kind == \"Pod\"\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := pod.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\n\t\tis_not_reference(env)\n\n\t\tpath := sprintf(\"spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"Pod: %v has sensitive information in environment variables\", [pod.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [pod]\n\t\t\t}\n\t\t}\n\t}\n\n\tdeny[msga] {\n\t\twl := input[_]\n\t\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\t\tspec_template_spec_patterns[wl.kind]\n\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := wl.spec.template.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\n\t\tis_not_reference(env)\n\n\t\tpath := sprintf(\"spec.template.spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\t\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"%v: %v has sensitive information in environment variables\", [wl.kind, wl.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [wl]\n\t\t\t}\n\t\t}\n\t}\n\n\tdeny[msga] {\n\t\twl := input[_]\n\t\twl.kind == \"CronJob\"\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\t\t\n\t\tis_not_reference(env)\n\t\t\n\t\tpath := sprintf(\"spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"Cronjob: %v has sensitive information in environment variables\", [wl.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [wl]\n\t\t\t}\n\t\t}\n\t}\n\n\n\nis_not_reference(env)\n{\n\tnot env.valueFrom.secretKeyRef\n\tnot env.valueFrom.configMapKeyRef\n}\n\nis_allowed_value(value) {\n allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]\n value == allow_val\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.sensitiveKeyNames", + "settings.postureControlInputs.sensitiveValuesAllowed" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.sensitiveKeyNames", + "name": "Keys", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "AllowedValues", + "description": "Allowed values" + } + ], + "description": "fails if Pods have sensitive information in configuration", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + }, + { + "guid": "", + "name": "rule-credentials-configmap", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" + }, + "creationTime": "", + "rule": "package armo_builtins\n# import data.cautils as cautils\n# import data.kubernetes.api.client as client\nimport data\n\n# fails if config map has keys with suspicious name\ndeny[msga] {\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n # see default-config-inputs.json for list values\n sensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n key_name := sensitive_key_names[_]\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n \n contains(lower(map_key), lower(key_name))\n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n \n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n# fails if config map has values with suspicious content - not base 64\ndeny[msga] {\n # see default-config-inputs.json for list values\n sensitive_values := data.postureControlInputs.sensitiveValues\n value := sensitive_values[_]\n\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n\n regex.match(value , map_secret)\n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n\n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n# fails if config map has values with suspicious content - base 64\ndeny[msga] {\n # see default-config-inputs.json for list values\n sensitive_values := data.postureControlInputs.sensitiveValues\n value := sensitive_values[_]\n\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n\n decoded_secret := base64.decode(map_secret)\n \n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n\n regex.match(value , decoded_secret)\n\n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n\nis_allowed_value(value) {\n allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]\n value == allow_val\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "ConfigMap" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.sensitiveValues", + "settings.postureControlInputs.sensitiveKeyNames", + "settings.postureControlInputs.sensitiveValuesAllowed" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.sensitiveValues", + "name": "Values", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveKeyNames", + "name": "Keys", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "AllowedValues", + "description": "Allowed values" + } + ], + "description": "fails if ConfigMaps have sensitive information in configuration", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 8 + }, + "C-0013": { + "guid": "", + "name": "Non-root containers", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0013", + "creationTime": "", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", + "rules": [ + { + "guid": "", + "name": "non-root-containers", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n################################################################################\n# Rules\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\n\tbeggining_of_path := \"spec\"\n\talertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v may run as root\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\n\tbeggining_of_path := \"spec.template.spec\"\n\talertInfo := evaluate_workload_non_root_container(container, wl.spec.template, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v may run as root\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has a container configured to run as root\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec\"\n\talertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n\t\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v may run as root\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nget_failed_path(alertInfo, i) = [replace(alertInfo.failed_path,\"container_ndx\",format_int(i,10))] {\n\talertInfo.failed_path != \"\"\n} else = []\n\n\nget_fixed_path(alertInfo, i) = [{\"path\":replace(alertInfo.fixPath[0].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[0].value}, {\"path\":replace(alertInfo.fixPath[1].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[1].value}]{\n\tcount(alertInfo.fixPath) == 2\n} else = [{\"path\":replace(alertInfo.fixPath[0].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[0].value}] {\n\tcount(alertInfo.fixPath) == 1\n} else = []\n\n#################################################################################\n# Workload evaluation \n\nevaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo {\n\trunAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path)\n\trunAsNonRootValue.value == false\n\t\n\trunAsUserValue := get_run_as_user_value(container, pod, beggining_of_path)\n\trunAsUserValue.value == 0\n\n\talertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)\n} else = alertInfo {\n allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path)\n allowPrivilegeEscalationValue.value == true\n\n alertInfo := allowPrivilegeEscalationValue\n}\n\n\n#################################################################################\n# Value resolution functions\n\n\nget_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot {\n failed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]) \n runAsNonRoot := {\"value\" : container.securityContext.runAsNonRoot, \"failed_path\" : failed_path, \"fixPath\": [] ,\"defined\" : true}\n} else = runAsNonRoot {\n\tfailed_path := sprintf(\"%v.securityContext.runAsNonRoot\", [beggining_of_path]) \n runAsNonRoot := {\"value\" : pod.spec.securityContext.runAsNonRoot, \"failed_path\" : failed_path, \"fixPath\": [], \"defined\" : true}\n} else = {\"value\" : false, \"failed_path\" : \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}], \"defined\" : false} {\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : false, \"failed_path\" : \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]) , \"value\":\"true\"}, {\"path\":sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}], \"defined\" : false}\n\nget_run_as_user_value(container, pod, beggining_of_path) = runAsUser {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsUser\", [beggining_of_path]) \n runAsUser := {\"value\" : container.securityContext.runAsUser, \"failed_path\" : failed_path, \"fixPath\": [], \"defined\" : true}\n} else = runAsUser {\n\tfailed_path := sprintf(\"%v.securityContext.runAsUser\", [beggining_of_path]) \n runAsUser := {\"value\" : pod.spec.securityContext.runAsUser, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = {\"value\" : 0, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}],\"defined\" : false}{\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : 0, \"failed_path\": \"\", \n\t\"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"},{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}],\n\t\"defined\" : false}\n\nget_run_as_group_value(container, pod, beggining_of_path) = runAsGroup {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsGroup\", [beggining_of_path])\n runAsGroup := {\"value\" : container.securityContext.runAsGroup, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = runAsGroup {\n\tfailed_path := sprintf(\"%v.securityContext.runAsGroup\", [beggining_of_path])\n runAsGroup := {\"value\" : pod.spec.securityContext.runAsGroup, \"failed_path\" : failed_path, \"fixPath\":[], \"defined\" : true}\n} else = {\"value\" : 0, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}], \"defined\" : false}{\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : 0, \"failed_path\": \"\", \n\t\"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"},{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}],\n \t\"defined\" : false\n}\n\nget_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path])\n allowPrivilegeEscalation := {\"value\" : container.securityContext.allowPrivilegeEscalation, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = allowPrivilegeEscalation {\n\tfailed_path := sprintf(\"%v.securityContext.allowPrivilegeEscalation\", [beggining_of_path])\n allowPrivilegeEscalation := {\"value\" : pod.spec.securityContext.allowPrivilegeEscalation, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = {\"value\" : true, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}], \"defined\" : false}\n\nchoose_first_if_defined(l1, l2) = c {\n l1.defined\n c := l1\n} else = l2\n\n\nis_allow_privilege_escalation_field(container, pod) {\n\tcontainer.securityContext.allowPrivilegeEscalation == false\n}\n\nis_allow_privilege_escalation_field(container, pod) {\n\tpod.spec.securityContext.allowPrivilegeEscalation == false\n}\n\n\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container can run as root", + "remediation": "Make sure that the user/group in the securityContext of pod/container is set to an id less than 1000, or the runAsNonRoot flag is set to true. Also make sure that the allowPrivilegeEscalation field is set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + "C-0016": { + "guid": "", + "name": "Allow privilege escalation", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0016", + "creationTime": "", + "description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.", + "remediation": "If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.", + "rules": [ + { + "guid": "", + "name": "rule-allow-privilege-escalation", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has container that allow privilege escalation\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v allow privilege escalation\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has a container that allow privilege escalation\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v allow privilege escalation\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has a container that allow privilege escalation\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tresult := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v allow privilege escalation\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n not container.securityContext.allowPrivilegeEscalation == false\n\tnot container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) == 0\n\tfailed_path = \"\"\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)]), \"value\":\"false\"} \n}\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n not container.securityContext.allowPrivilegeEscalation == false\n\tnot container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) \u003e 0\n\tpsp := psps[_]\n\tnot psp.spec.allowPrivilegeEscalation == false\n\tfailed_path = \"\"\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)]), \"value\":\"false\"} \n}\n\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) == 0\n\tfixPath = \"\"\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)])\n}\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path)= [failed_path, fixPath] {\n container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) \u003e 0\n\tpsp := psps[_]\n\tnot psp.spec.allowPrivilegeEscalation == false\n\tfixPath = \"\"\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)])\n}\n\n get_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "policy" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "PodSecurityPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container allows privilege escalation", + "remediation": "Make sure that the allowPrivilegeEscalation field in the securityContext of pod/container is set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + "C-0017": { + "guid": "", + "name": "Immutable container filesystem", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Execution", + "Persistence" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0017", + "creationTime": "", + "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", + "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "rules": [ + { + "guid": "", + "name": "immutable-container-filesystem", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pods has container with mutable filesystem\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v has mutable filesystem\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has container with mutable filesystem \ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v has mutable filesystem\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has container with mutable filesystem \ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tresult := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v has mutable filesystem\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec\nis_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] {\n\tcontainer.securityContext.readOnlyRootFilesystem == false\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.readOnlyRootFilesystem\", [beggining_of_path, format_int(i, 10)])\n\tfixPath = \"\"\n }\n\n is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] {\n\tnot container.securityContext.readOnlyRootFilesystem == false\n not container.securityContext.readOnlyRootFilesystem == true\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.readOnlyRootFilesystem\", [beggining_of_path, format_int(i, 10)]), \"value\": \"true\"}\n\tfailed_path = \"\"\n }\n\n\n get_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container has mutable filesystem", + "remediation": "Make sure that the securityContext.readOnlyRootFilesystem field in the container/pod spec is set to true", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 3 + }, + "C-0030": { + "guid": "", + "name": "Ingress and Egress blocked", + "attributes": { + "armoBuiltin": true, + "controlTypeTags": [ + "compliance" + ] + }, + "controlID": "C-0030", + "creationTime": "", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "remediation": "Define a network policy that restricts ingress and egress connections.", + "rules": [ + { + "guid": "", + "name": "ingress-and-egress-blocked", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# For pods\ndeny[msga] {\n \t\tpods := [pod | pod= input[_]; pod.kind == \"Pod\"]\n\t\tnetworkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\t\tpod := pods[_]\n\t\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; pod_connected_to_network_policy(pod, networkpolicie)]\n\t\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\t\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v does not have ingress/egress defined\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n\n}\n\n# For pods\ndeny[msga] {\n \t\tpods := [pod | pod= input[_]; pod.kind == \"Pod\"]\n\t\tnetworkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\t\tpod := pods[_]\n\t\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; pod_connected_to_network_policy(pod, networkpolicie)]\n\t\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v does not have ingress/egress defined\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n\n}\n\n# For workloads\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; wlConnectedToNetworkPolicy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# For workloads\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; wlConnectedToNetworkPolicy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# For Cronjobs\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; cronjob_connected_to_network_policy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# For Cronjobs\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; cronjob_connected_to_network_policy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tmetadata1.namespace == metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tnot metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata2.namespace\n\tmetadata1.namespace == \"default\"\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tmetadata2.namespace == \"default\"\n}\n\npod_connected_to_network_policy(pod, networkpolicie){\n\tis_same_namespace(networkpolicie.metadata, pod.metadata)\n count(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == pod.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\npod_connected_to_network_policy(pod, networkpolicie){\n\tis_same_namespace(networkpolicie.metadata ,pod.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\nwlConnectedToNetworkPolicy(wl, networkpolicie){\n\tis_same_namespace(wl.metadata , networkpolicie.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\n\nwlConnectedToNetworkPolicy(wl, networkpolicie){\n\tis_same_namespace(wl.metadata, networkpolicie.metadata)\n\tcount(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == wl.spec.template.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\n\ncronjob_connected_to_network_policy(cj, networkpolicie){\n\tis_same_namespace(cj.metadata , networkpolicie.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\ncronjob_connected_to_network_policy(cj, networkpolicie){\n\tis_same_namespace(cj.metadata , networkpolicie.metadata)\n\tcount(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == cj.spec.jobTemplate.spec.template.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\nis_ingerss_egress_policy(networkpolicie) {\n list_contains(networkpolicie.spec.policyTypes, \"Ingress\")\n list_contains(networkpolicie.spec.policyTypes, \"Egress\")\n }\n\nlist_contains(list, element) {\n some i\n list[i] == element\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "networking.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "NetworkPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if there are no ingress and egress defined for pod", + "remediation": "Make sure you define ingress and egress policies for all your Pods", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + "C-0034": { + "guid": "", + "name": "Automatic mapping of service account", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Credential access", + "Impact - K8s API access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0034", + "creationTime": "", + "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "rules": [ + { + "guid": "", + "name": "automount-service-account", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# Fails if user account mount tokens in pod by default\ndeny [msga]{\n service_accounts := [service_account | service_account= input[_]; service_account.kind == \"ServiceAccount\"]\n service_account := service_accounts[_]\n result := is_auto_mount(service_account)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t \"alertMessage\": sprintf(\"the following service account: %v in the following namespace: %v mounts service account tokens in pods by default\", [service_account.metadata.name, service_account.metadata.namespace]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [service_account]\n\t\t}\n\t}\n} \n\n\n # -- ---- For workloads -- ---- \n# Fails if pod mount tokens by default (either by its config or by its SA config)\n\n # POD \ndeny [msga]{\n pod := input[_]\n\tpod.kind == \"Pod\"\n\n\tbeggining_of_path := \"spec.\"\n\twl_namespace := pod.metadata.namespace\n\tresult := is_sa_auto_mounted(pod.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t \"alertMessage\": sprintf(\"Pod: %v in the following namespace: %v mounts service account tokens by default\", [pod.metadata.name, pod.metadata.namespace]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n} \n\n# WORKLOADS\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tbeggining_of_path := \"spec.template.spec.\"\n\n\twl_namespace := wl.metadata.namespace\n\tresult := is_sa_auto_mounted(wl.spec.template.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v in the following namespace: %v mounts service account tokens by default\", [wl.kind, wl.metadata.name, wl.metadata.namespace]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# CRONJOB\ndeny[msga] {\n \twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n \n\twl_namespace := wl.metadata.namespace\n\tresult := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v in the following namespace: %v mounts service account tokens by default\", [wl.kind, wl.metadata.name, wl.metadata.namespace]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\n # -- ---- For workloads -- ---- \nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken not in pod spec\n\tnot spec.automountServiceAccountToken == false\n\tnot spec.automountServiceAccountToken == true\n\n\t# check if SA automount by default\n\tsa := input[_]\n\tis_same_sa(spec, sa.metadata.name)\n\tis_same_namespace(sa.metadata.namespace , wl_namespace)\n\tnot sa.automountServiceAccountToken == false\n\n\t# path is pod spec\n\tfix_path = { \"path\": sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path]), \"value\": \"false\"}\n\tfailed_path = \"\"\n}\n\nget_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n\nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken set to true in pod spec\n\tspec.automountServiceAccountToken == true\n\t\n\t# SA automount by default\n\tservice_accounts := [service_account | service_account = input[_]; service_account.kind == \"ServiceAccount\"]\n\tcount(service_accounts) \u003e 0\n\tsa := service_accounts[_]\n\tis_same_sa(spec, sa.metadata.name)\n\tis_same_namespace(sa.metadata.namespace , wl_namespace)\n\tnot sa.automountServiceAccountToken == false\n\n\tfailed_path = sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path])\n\tfix_path = \"\"\n}\n\nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken set to true in pod spec\n\tspec.automountServiceAccountToken == true\n\t\n\t# No SA (yaml scan)\n\tservice_accounts := [service_account | service_account = input[_]; service_account.kind == \"ServiceAccount\"]\n\tcount(service_accounts) == 0\n\tfailed_path = sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path])\n\tfix_path = \"\"\n}\n\n\n\n # -- ---- For SAs -- ---- \nis_auto_mount(service_account) = [failed_path, fix_path] {\n\tservice_account.automountServiceAccountToken == true\n\tfailed_path = \"automountServiceAccountToken\"\n\tfix_path = \"\"\n}\n\nis_auto_mount(service_account)= [failed_path, fix_path] {\n\tnot service_account.automountServiceAccountToken == false\n\tnot service_account.automountServiceAccountToken == true\n\tfix_path = {\"path\": \"automountServiceAccountToken\", \"value\": \"false\"}\n\tfailed_path = \"\"\n}\n\nis_same_sa(spec, serviceAccountName) {\n\tspec.serviceAccountName == serviceAccountName\n}\n\nis_same_sa(spec, serviceAccountName) {\n\tnot spec.serviceAccountName \n\tserviceAccountName == \"default\"\n}\n\n\nis_same_namespace(metadata1, metadata2) {\n\tmetadata1.namespace == metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tnot metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata2.namespace\n\tmetadata1.namespace == \"default\"\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tmetadata2.namespace == \"default\"\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "ServiceAccount" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if service account and workloads mount service account token by default", + "remediation": "Make sure that the automountServiceAccountToken field on the service account spec if set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + "C-0035": { + "guid": "", + "name": "Cluster-admin binding", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Impact - data destruction", + "Impact - service injection" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ], + "microsoftMitreColumns": [ + "Privilege escalation" + ], + "rbacQuery": "Show cluster_admin" + }, + "controlID": "C-0035", + "creationTime": "", + "description": "Attackers who have cluster admin permissions (can perform any action on any resource), can take advantage of their privileges for malicious activities. This control determines which subjects have cluster admin permissions.", + "remediation": "You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use subjects with such high permissions for daily operations.", + "rules": [ + { + "guid": "", + "name": "rule-list-all-cluster-admins-v1", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::Cluster-admin binding", + "resourcesAggregator": "subject-role-rolebinding", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# returns subjects with cluster admin permissions\ndeny[msga] {\n\tsubjectVector := input[_]\n\trole := subjectVector.relatedObjects[i]\n\trolebinding := subjectVector.relatedObjects[j]\n\tendswith(role.kind, \"Role\")\n\tendswith(rolebinding.kind, \"Binding\")\n\n\trule := role.rules[p]\n\tsubject := rolebinding.subjects[k]\n\tis_same_subjects(subjectVector, subject)\n\nis_same_subjects(subjectVector, subject)\n\trule_path := sprintf(\"relatedObjects[%d].rules[%d]\", [i, p])\n\n\tverbs := [\"*\"]\n\tverb_path := [sprintf(\"%s.verbs[%d]\", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]\n\tcount(verb_path) \u003e 0\n\n\tapi_groups := [\"*\", \"\"]\n\tapi_groups_path := [sprintf(\"%s.apiGroups[%d]\", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]\n\tcount(api_groups_path) \u003e 0\n\n\tresources := [\"*\"]\n\tresources_path := [sprintf(\"%s.resources[%d]\", [rule_path, l]) | resource = rule.resources[l]; resource in resources]\n\tcount(resources_path) \u003e 0\n\n\tpath := array.concat(resources_path, verb_path)\n\tpath2 := array.concat(path, api_groups_path)\n\tfinalpath := array.concat(path2, [\n\t\tsprintf(\"relatedObjects[%d].subjects[%d]\", [j, k]),\n\t\tsprintf(\"relatedObjects[%d].roleRef.name\", [j]),\n\t])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Subject: %s-%s have high privileges, such as cluster-admin\", [subjectVector.kind, subjectVector.name]),\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": finalpath,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": subjectVector,\n\t\t},\n\t}\n}\n\n# for service accounts\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.namespace == subject.namespace\n}\n\n# for users/ groups\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.apiGroup == subject.apiGroup\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Role", + "ClusterRole", + "ClusterRoleBinding", + "RoleBinding" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines which users have cluster admin permissions", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 6 + }, + "C-0038": { + "guid": "", + "name": "Host PID/IPC privileges", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0038", + "creationTime": "", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", + "rules": [ + { + "guid": "", + "name": "host-pid-ipc-privileges", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has hostPID enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tis_host_pid(pod.spec)\n\tpath := \"spec.hostPID\"\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v has hostPID enabled\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if pod has hostIPC enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tis_host_ipc(pod.spec)\n\tpath := \"spec.hostIPC\"\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v has hostIPC enabled\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has hostPID enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_pid(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostPID\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod with hostPID enabled\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has hostIPC enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_ipc(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostIPC\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod with hostIPC enabled\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has hostPID enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_pid(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostPID\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod with hostPID enabled\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has hostIPC enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_ipc(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostIPC\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod with hostIPC enabled\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Check that hostPID and hostIPC are set to false. Default is false. Only in pod spec\n\n\nis_host_pid(podspec){\n podspec.hostPID == true\n}\n\nis_host_ipc(podspec){\n podspec.hostIPC == true\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "Containers should be as isolated as possible from the host machine. The hostPID and hostIPC fields in Kubernetes may excessively expose the host to potentially malicious actions.", + "remediation": "Make sure that the fields hostIPC and hostPID in the pod spec are not set to true (set to false or not present)", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + "C-0041": { + "guid": "", + "name": "HostNetwork access", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Discovery", + "Lateral movement", + "Impact - service access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0041", + "creationTime": "", + "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", + "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "rules": [ + { + "guid": "", + "name": "host-network-access", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# Fails if pod has hostNetwork enabled\ndeny[msga] {\n pods := [ pod | pod = input[_] ; pod.kind == \"Pod\"]\n pod := pods[_]\n\n\tis_host_network(pod.spec)\n\tpath := \"spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"Pod: %v is connected to the host network\", [pod.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has hostNetwork enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_network(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod connected to the host network\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has hostNetwork enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_network(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod connected to the host network\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_host_network(podspec) {\n podspec.hostNetwork == true\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if pod has hostNetwork enabled", + "remediation": "Make sure that the hostNetwork field of the pod spec is not set to true (set to false or not present)", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + "C-0044": { + "guid": "", + "name": "Container hostPort", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance", + "devops" + ] + }, + "controlID": "C-0044", + "creationTime": "", + "description": "Configuring hostPort requires a particular port number. If two objects specify the same HostPort, they could not be deployed to the same node. It may prevent the second object from starting, even if Kubernetes will try reschedule it on another node, provided there are available nodes with sufficient amount of resources. Also, if the number of replicas of such workload is higher than the number of nodes, the deployment will consistently fail.", + "remediation": "Avoid usage of hostPort unless it is absolutely necessary, in which case define appropriate exception. Use NodePort / ClusterIP instead.", + "rules": [ + { + "guid": "", + "name": "container-hostPort", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has container with hostPort\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n container := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n\tpath := is_host_port(container, i, beggining_of_path)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v has Host-port\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has container with hostPort\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n path := is_host_port(container, i, beggining_of_path)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v in %v: %v has Host-port\", [ container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has container with hostPort\ndeny[msga] {\n \twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n path := is_host_port(container, i, beggining_of_path)\n msga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v in %v: %v has Host-port\", [ container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\nis_host_port(container, i, beggining_of_path) = path {\n\tpath = [sprintf(\"%vcontainers[%v].ports[%v].hostPort\", [beggining_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort]\n\tcount(path) \u003e 0\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container has hostPort", + "remediation": "Make sure you do not configure hostPort for the container, if necessary use NodePort / ClusterIP", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + "C-0046": { + "guid": "", + "name": "Insecure capabilities", + "attributes": { + "actionRequired": "configuration", + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0046", + "creationTime": "", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "remediation": "Remove all insecure capabilities which are not necessary for the container.", + "rules": [ + { + "guid": "", + "name": "insecure-capabilities", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data\nimport data.cautils as cautils\n\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v have dangerous capabilities\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in workload: %v have dangerous capabilities\", [container.name, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in cronjob: %v have dangerous capabilities\", [container.name, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_dangerous_capabilities(container, beggining_of_path, i) = path {\n\t# see default-config-inputs.json for list values\n insecureCapabilities := data.postureControlInputs.insecureCapabilities\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)]\n\tcount(path) \u003e 0\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.insecureCapabilities" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.insecureCapabilities", + "name": "Insecure capabilities", + "description": "You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system." + } + ], + "description": "fails if container has insecure capabilities", + "remediation": "Remove all insecure capabilities which aren’t necessary for the container.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + "C-0054": { + "guid": "", + "name": "Cluster internal networking", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Discovery", + "Lateral movement" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ], + "microsoftMitreColumns": [ + "Lateral movement" + ] + }, + "controlID": "C-0054", + "creationTime": "", + "description": "If no network policy is defined, attackers who gain access to a container may use it to move laterally in the cluster. This control lists namespaces in which no network policy is defined.", + "remediation": "Define Kubernetes network policies or use alternative products to protect cluster network.", + "rules": [ + { + "guid": "", + "name": "internal-networking", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Lateral Movement::Container internal networking, Discovery::Network mapping" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# input: network policies\n# apiversion: networking.k8s.io/v1\n# fails if no network policies are defined in a certain namespace\n\ndeny[msga] {\n\tnamespaces := [namespace | namespace = input[_]; namespace.kind == \"Namespace\"]\n\tnamespace := namespaces[_]\n\tpolicy_names := [policy.metadata.namespace | policy = input[_]; policy.kind == \"NetworkPolicy\"]\n\tnot list_contains(policy_names, namespace.metadata.name)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"no policy is defined for namespace %v\", [namespace.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [namespace]\n\t\t}\n\t}\n}\n\nlist_contains(list, element) {\n some i\n list[i] == element\n}", + "resourceEnumerator": "package armo_builtins\n\n# input: network policies + namespaces\n# apiversion: networking.k8s.io/v1\n# returns all namespaces\n\ndeny[msga] {\n\tnamespaces := [namespace | namespace = input[_]; namespace.kind == \"Namespace\"]\n\tnamespace := namespaces[_]\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"no policy is defined for namespace %v\", [namespace.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [\"\"],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [namespace]\n\t\t}\n\t}\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Namespace" + ] + }, + { + "apiGroups": [ + "networking.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "NetworkPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "lists namespaces in which no network policies are defined", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + "C-0055": { + "guid": "", + "name": "Linux hardening", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0055", + "creationTime": "", + "description": "Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.", + "remediation": "You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.", + "rules": [ + { + "guid": "", + "name": "linux-hardening", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# Fails if pod does not define linux security hardening \ndeny[msga] {\n\tobj := input[_]\n\tfix_paths := is_unsafe_obj(obj)\n\tcount(fix_paths) \u003e 0\n\n\t# final_fix_pathes := array.concat(fix_paths) # -\u003e produce only one failed result\n\tfinal_fix_pathes := fix_paths[_] # -\u003e produce failed result for each container\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%s: %s does not define any linux security hardening\", [obj.kind, obj.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": final_fix_pathes,\n\t\t\"alertObject\": {\"k8sApiObjects\": [obj]},\n\t}\n}\n\nis_unsafe_obj(obj) := fix_paths {\n\tobj.kind == \"Pod\"\n\tfix_paths := are_unsafe_specs(obj, [\"spec\"], [\"metadata\", \"annotations\"])\n} else := fix_paths {\n\tobj.kind == \"CronJob\"\n\tfix_paths := are_unsafe_specs(obj, [\"spec\", \"jobTemplate\", \"spec\", \"template\", \"spec\"], [\"spec\", \"jobTemplate\", \"spec\", \"template\", \"metadata\", \"annotations\"])\n} else := fix_paths {\n\tobj.kind in [\"Deployment\", \"ReplicaSet\", \"DaemonSet\", \"StatefulSet\", \"Job\"]\n\tfix_paths := are_unsafe_specs(obj, [\"spec\", \"template\", \"spec\"], [\"spec\", \"template\", \"metadata\", \"annotations\"])\n}\n\nare_unsafe_specs(obj, specs_path, anotation_path) := paths {\n\t# spec\n\tspecs := object.get(obj, specs_path, null)\n\tspecs != null\n\tare_seccomp_and_selinux_disabled(specs)\n\n\t# annotation\n\tannotations := object.get(obj, anotation_path, [])\n\tapp_armor_annotations := [annotations[i] | annotation = i; startswith(i, \"container.apparmor.security.beta.kubernetes.io\")]\n\tcount(app_armor_annotations) == 0\n\n\t# container\n\tcontainers_path := array.concat(specs_path, [\"containers\"])\n\tcontainers := object.get(obj, containers_path, [])\n\n\t# Psuedo code explanation:\n\t# for i, container in containers\n\t# \t\tif is_unsafe_container:\n\t# \t\t\tfix_paths += [(containers_path[i] + field) for j, field in fix_fields]\n\t# \n\t# At the end we get [[\u003ccontainer1_path1\u003e, \u003ccontainer1_path2\u003e, ...], ...]\n\tcontainers_fix_path := concat(\".\", containers_path)\n\tfix_fields := [\"seccompProfile\", \"seLinuxOptions\", \"capabilities.drop[0]\"]\n\tpaths := [[{\n\t\t\"path\": sprintf(\"%s[%d].securityContext.%s\", [containers_fix_path, i, field]),\n\t\t\"value\": \"YOUR_VALUE\",\n\t} |\n\t\tfield := fix_fields[j]\n\t] |\n\t\tcontainer = containers[i]\n\t\tis_unsafe_container(container)\n\t]\n\n\tcount(paths) \u003e 0\n}\n\nare_seccomp_and_selinux_disabled(obj) {\n\tnot obj.securityContext.seccompProfile\n\tnot obj.securityContext.seLinuxOptions\n}\n\nis_unsafe_container(container) {\n\tare_seccomp_and_selinux_disabled(container)\n\tnot container.securityContext.capabilities.drop\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container does not define any linux security hardening", + "remediation": "Make sure you define at least one linux security hardening property out of Seccomp, SELinux or Capabilities.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + "C-0057": { + "guid": "", + "name": "Privileged container", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security" + ], + "microsoftMitreColumns": [ + "Privilege escalation" + ] + }, + "controlID": "C-0057", + "creationTime": "", + "description": "Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary. This control identifies all the privileged Pods.", + "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", + "rules": [ + { + "guid": "", + "name": "rule-privilege-escalation", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::privileged container", + "mitre": "Privilege Escalation", + "mitreCode": "TA0004" + }, + "creationTime": "", + "rule": "package armo_builtins\n# Deny mutating action unless user is in group owning the resource\n\n\n#privileged pods\ndeny[msga] {\n\n\tpod := input[_]\n\tpod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"the following pods are defined as privileged: %v\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n }\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v is defined as privileged:\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\n#handles cronjob\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined as privileged: %v\", [wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\n\n# Only SYS_ADMIN capabilite\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tnot container.securityContext.privileged == true\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path) \u003e 0\n}\n\n# Only securityContext.privileged == true\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tcontainer.securityContext.privileged == true\n\tpath1 = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path1) \u003c 1\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.privileged\", [beggining_of_path, format_int(i, 10)])]\n}\n\n# SYS_ADMIN capabilite \u0026\u0026 securityContext.privileged == true\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tpath1 = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path1) \u003e 0\n\tcontainer.securityContext.privileged == true\n\tpath = array.concat(path1, [sprintf(\"%vcontainers[%v].securityContext.privileged\", [beggining_of_path, format_int(i, 10)])])\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines if pods/deployments defined as privileged true", + "remediation": "avoid defining pods as privilleged", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 8 + }, + "C-0058": { + "guid": "", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Persistence", + "Impact - Data access in container" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0058", + "creationTime": "", + "description": "A user may be able to create a container with subPath or subPathExpr volume mounts to access files \u0026 directories anywhere on the host filesystem. Following Kubernetes versions are affected: v1.22.0 - v1.22.1, v1.21.0 - v1.21.4, v1.20.0 - v1.20.10, version v1.19.14 and lower. This control checks the vulnerable versions and the actual usage of the subPath feature in all Pods in the cluster. If you want to learn more about the CVE, please refer to the CVE link: https://nvd.nist.gov/vuln/detail/CVE-2021-25741", + "remediation": "To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, or remove any existing Pods using subPath or subPathExpr feature.", + "rules": [ + { + "guid": "", + "name": "Symlink-Exchange-Can-Allow-Host-Filesystem-Access", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr\", [container.name, pod.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [pod]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n \n\tmsga := {\n\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\n\nis_sub_path_container(container, i, beggining_of_path) = path {\n\tpath = [sprintf(\"%vcontainers[%v].volumeMounts[%v].subPath\" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath]\n\tcount(path) \u003e 0\n}\n\nis_vulnerable_version(version) {\n version \u003c= \"v1.19.14\"\n}\n\nis_vulnerable_version(version){\n version \u003e= \"v1.22.0\"\n version \u003c= \"v1.22.1\"\n}\n\n\nis_vulnerable_version(version){\n version \u003e= \"v1.21.0\"\n version \u003c= \"v1.21.4\"\n}\n\n\nis_vulnerable_version(version){\n version \u003e= \"v1.20.0\"\n version \u003c= \"v1.20.9\"\n}\n\nis_vulnerable_version(version){\n\tversion == \"v1.20.10\"\n}\n\n\n", + "resourceEnumerator": "package armo_builtins\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n pod := input[_]\n pod.kind == \"Pod\"\n\n\tmsga := {\n\t\t\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [pod]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n \n\tmsga := {\n\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n wl := input[_]\n\twl.kind == \"CronJob\"\n \n\tmsga := {\n\t\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\nisVulnerableVersion(version) {\n version \u003c= \"v1.19.14\"\n}\n\nisVulnerableVersion(version){\n version \u003e= \"v1.22.0\"\n version \u003c= \"v1.22.1\"\n}\n\n\nisVulnerableVersion(version){\n version \u003e= \"v1.21.0\"\n version \u003c= \"v1.21.4\"\n}\n\n\nisVulnerableVersion(version){\n version \u003e= \"v1.20.0\"\n version \u003c= \"v1.20.9\"\n}\n\nisVulnerableVersion(version){\n\tversion == \"v1.20.10\"\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "Node" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "A user may be able to create a container with subPath volume mounts to access files \u0026 directories outside of the volume, including on the host filesystem. This was affected at the following versions: v1.22.0 - v1.22.1, v1.21.0 - v1.21.4, v1.20.0 - v1.20.10, version v1.19.14 and lower. ", + "remediation": "To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + "C-0059": { + "guid": "", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Initial access", + "Execution" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0059", + "creationTime": "", + "description": "Security issue in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (see more at https://github.com/kubernetes/ingress-nginx/issues/7837)", + "remediation": "To mitigate this vulnerability: 1. Upgrade to a version that allows mitigation (\u003e= v0.49.1 or \u003e= v1.0.1), 2. Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx", + "rules": [ + { + "guid": "", + "name": "nginx-ingress-snippet-annotation-vulnerability", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\ndeny[msga] {\n\tdeployment := input[_]\n\tdeployment.kind == \"Deployment\"\n\timage := deployment.spec.template.spec.containers[i].image\n\tis_nginx_image(image)\n\tis_tag_image(image)\n\n\t# Extracting version from image tag\n\ttag_version_match := regex.find_all_string_submatch_n(\"[0-9]+\\\\.[0-9]+\\\\.[0-9]+\", image, -1)[0][0]\n image_version_str_arr := split(tag_version_match,\".\")\n\timage_version_arr := [to_number(image_version_str_arr[0]),to_number(image_version_str_arr[1]),to_number(image_version_str_arr[2])]\n\n\t# Check if vulnerable \n\tis_vulnerable(image_version_arr, deployment.metadata.namespace)\n\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25742. Deployment %v\", [deployment.metadata.name]),\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"fixPaths\":[],\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [deployment]},\n\t\t}\n}\n\n\t\nis_nginx_image(image) {\n\tcontains(image, \"nginx-controller\")\n}\n\nis_nginx_image(image) {\n\tcontains(image, \"ingress-controller\")\n}\n\nis_nginx_image(image) {\n\tcontains(image, \"ingress-nginx\")\n}\n\nis_allow_snippet_annotation_on(namespace) {\n configmaps := [configmap | configmap = input[_]; configmap.kind == \"ConfigMap\"]\n\tconfigmap_on_ingress_namespace := [configmap | configmap= configmaps[_]; configmap.metadata.namespace == namespace]\n\tconfig_maps_with_snippet := [configmap | configmap= configmap_on_ingress_namespace[_]; configmap.data[\"allow-snippet-annotations\"] == \"false\"]\n\tcount(config_maps_with_snippet) \u003c 1\n}\n\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 0\n\timage_version[1] \u003c 49\n\tis_allow_snippet_annotation_on(namespace)\n}\n\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 0\n\timage_version[1] == 49\n\timage_version[2] == 0\n\tis_allow_snippet_annotation_on(namespace)\n}\n\t\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 1\n\timage_version[1] == 0\n\timage_version[2] == 0\n\tis_allow_snippet_annotation_on(namespace)\n}\n\nis_tag_image(image) {\n reg := \":[\\\\w][\\\\w.-]{0,127}(\\/)?\"\n version := regex.find_all_string_submatch_n(reg, image, -1)\n v := version[_]\n img := v[_]\n not endswith(img, \"/\")\n}", + "resourceEnumerator": "package armo_builtins\n\ndeny[msga] {\n\tdeployment := input[_]\n\tdeployment.kind == \"Deployment\"\n\timage := deployment.spec.template.spec.containers[i].image\n\tisNginxImage(image)\n\tis_tag_image(image)\n\tisVulnerable(image, deployment.metadata.namespace)\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25742. %v\", [deployment]),\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [deployment]},\n\t\t}\n}\n\n\t\nisNginxImage(image) {\n\tcontains(image, \"nginx-controller\")\n}\n\nisNginxImage(image) {\n\tcontains(image, \"ingress-controller\")\n}\n\nisNginxImage(image) {\n\tcontains(image, \"ingress-nginx\")\n}\n\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n startswith(tag, \"v\")\n tag \u003c= \"v0.49\"\n}\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n startswith(tag, \"v\")\n tag == \"v1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n startswith(tag, \"v\")\n\ttag \u003c= \"v0.49\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n startswith(tag, \"v\")\n\ttag == \"v1.0.0\"\n}\n\n###### without 'v'\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n not startswith(tag, \"v\")\n tag \u003c= \"0.49\"\n}\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n not startswith(tag, \"v\")\n tag == \"1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n not startswith(tag, \"v\")\n\ttag \u003c= \"0.49\"\n}\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n not startswith(tag, \"v\")\n\ttag == \"1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n configmaps := [configmap | configmap = input[_]; configmap.kind == \"ConfigMap\"]\n\tconfigmapOnIngressNamespace := [configmap | configmap= configmaps[_]; configmap.metadata.namespace == namespace]\n\tconfigMapsWithSnippet := [configmap | configmap= configmapOnIngressNamespace[_]; configmap.data[\"allow-snippet-annotations\"] == \"false\"]\n\tcount(configMapsWithSnippet) \u003c 1\n}\n\n\nis_tag_image(image) {\n reg := \":[\\\\w][\\\\w.-]{0,127}(\\/)?\"\n version := regex.find_all_string_submatch_n(reg, image, -1)\n v := version[_]\n img := v[_]\n not endswith(img, \"/\")\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Deployment", + "ConfigMap" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 8 + }, + "C-0066": { + "guid": "", + "name": "Secret/ETCD encryption enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "node", + "categories": [ + "Impact" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0066", + "creationTime": "", + "description": "All Kubernetes Secrets are stored primarily in etcd therefore it is important to encrypt it.", + "remediation": "Turn on the etcd encryption in your cluster, for more see the vendor documentation.", + "rules": [ + { + "guid": "", + "name": "secret-etcd-encryption-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if encryption in etcd in enabled for EKS\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"eks.amazonaws.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"eks\"\t\n\tconfig = cluster_config.data\n\n\tis_not_encrypted_EKS(config)\n \n\t\n\tmsga := {\n\t\t\"alertMessage\": \"etcd/secret encryption is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"eksctl utils enable-secrets-encryption --cluster=\u003ccluster\u003e --key-arn=arn:aws:kms:\u003ccluster_region\u003e:\u003caccount\u003e:key/\u003ckey\u003e --region=\u003cregion\u003e\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}\n\n\n\n# Check if encryption in etcd in enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"gke\"\t\n\tconfig := cluster_config.data\n\n\tnot is_encrypted_GKE(config)\n \n\t\n\tmsga := {\n\t\t\"alertMessage\": \"etcd/secret encryption is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [\"data.database_encryption.state\"],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"gcloud container clusters update \u003ccluster_name\u003e --region=\u003ccompute_region\u003e --database-encryption-key=\u003ckey_project_id\u003e/locations/\u003clocation\u003e/keyRings/\u003cring_name\u003e/cryptoKeys/\u003ckey_name\u003e --project=\u003ccluster_project_id\u003e\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}\n\nis_encrypted_GKE(config) {\n\t config.database_encryption.state == \"1\"\n}\nis_encrypted_GKE(config) {\n\t config.database_encryption.state == \"ENCRYPTED\"\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tencryptionConfig := cluster_config.Cluster.EncryptionConfig[_]\n goodResources := [resource | resource = cluster_config.Cluster.EncryptionConfig.Resources[_]; resource == \"secrets\"]\n\tcount(goodResources) == 0\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tcluster_config.Cluster.EncryptionConfig == null\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tcount(cluster_config.Cluster.EncryptionConfig) == 0\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tencryptionConfig := cluster_config.Cluster.EncryptionConfig[_]\n count(encryptionConfig.Resources) == 0\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "etcd-encryption-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport data.cautils as cautils\n\n# Check if encryption in etcd is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n\tcmd := apiserverpod.spec.containers[0].command\n\tenc_command := [command | command := cmd[_]; contains(command, \"--encryption-provider-config=\")]\n\tcount(enc_command) \u003c 1\n\tpath := \"spec.containers[0].command\"\n\n\tmsga := {\n\t\t\"alertMessage\": \"etcd encryption is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\"k8sApiObjects\": [apiserverpod]},\n\t}\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 6 + }, + "C-0067": { + "guid": "", + "name": "Audit logs enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Defense evasion - KubeAPI" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0067", + "creationTime": "", + "description": "Audit logging is an important security feature in Kubernetes, it enables the operator to track requests to the cluster. It is important to use it so the operator has a record of events happened in Kubernetes", + "remediation": "Turn on audit logging for your cluster. Look at the vendor guidelines for more details", + "rules": [ + { + "guid": "", + "name": "k8s-audit-logs-enabled-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.every\n\n# =============================== GKE ===============================\n# Check if audit logs is enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n\tcluster_config.metadata.provider == \"gke\"\n\tconfig := cluster_config.data\n\n\t# If enableComponents is empty, it will disable logging\n\t# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#loggingcomponentconfig\n\tis_logging_disabled(config)\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is disabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": cluster_config,\n\t\t},\n\t}\n}\n\nis_logging_disabled(cluster_config) {\n\tnot cluster_config.logging_config.component_config.enable_components\n}\n\nis_logging_disabled(cluster_config) {\n\tcluster_config.logging_config.component_config.enable_components\n\tcount(cluster_config.logging_config.component_config.enable_components) == 0\n}\n\n# =============================== EKS ===============================\n# Check if audit logs is enabled for EKS\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"eks.amazonaws.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n\tcluster_config.metadata.provider == \"eks\"\n\tconfig := cluster_config.data\n\n\t# logSetup is an object representing the enabled or disabled Kubernetes control plane logs for your cluster.\n\t# types - available cluster control plane log types\n\t# https://docs.aws.amazon.com/eks/latest/APIReference/API_LogSetup.html\n\tlogging_types := {\"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler\"}\n\tlogSetups = config.Cluster.Logging.ClusterLogging\n\tnot all_auditlogs_enabled(logSetups, logging_types)\n\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is disabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixCommand\": \"aws eks update-cluster-config --region '${REGION_CODE}' --name '${CLUSTER_NAME}' --logging '{'clusterLogging':[{'types':['api','audit','authenticator','controllerManager','scheduler'],'enabled':true}]}'\",\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": cluster_config,\n\t\t},\n\t}\n}\n\nall_auditlogs_enabled(logSetups, types) {\n\tevery type in types {\n\t\tauditlogs_enabled(logSetups, type)\n\t}\n}\n\nauditlogs_enabled(logSetups, type) {\n\tlogSetup := logSetups[_]\n\tlogSetup.Enabled == true\n\tlogSetup.Types[_] == type\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "k8s-audit-logs-enabled-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.cautils as cautils\n\n# Check if audit logs is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n cmd := apiserverpod.spec.containers[0].command\n\taudit_policy := [ command |command := cmd[_] ; contains(command, \"--audit-policy-file=\")]\n count(audit_policy) \u003c 1\n\tpath := \"spec.containers[0].command\"\t\n\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [apiserverpod],\n\t\t\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 5 + }, + "C-0068": { + "guid": "", + "name": "PSP enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Impact - service injection" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0068", + "creationTime": "", + "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", + "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", + "rules": [ + { + "guid": "", + "name": "psp-enabled-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if PSP is enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"gke\"\t\n\tconfig := cluster_config.data\n not config.pod_security_policy_config.enabled == true\n\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"pod security policy configuration is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"gcloud beta container clusters update \u003ccluster_name\u003e --enable-pod-security-policy\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "psp-enabled-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if psp is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n cmd := apiserverpod.spec.containers[0].command[j]\n contains(cmd, \"--enable-admission-plugins=\")\n output := split(cmd, \"=\")\n not contains(output[1], \"PodSecurityPolicy\")\n\tpath := sprintf(\"spec.containers[0].command[%v]\", [format_int(j, 10)])\t\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"PodSecurityPolicy is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [apiserverpod],\n\t\t\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 1 + }, + "C-0069": { + "guid": "", + "name": "Disable anonymous access to Kubelet service", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0069", + "creationTime": "", + "description": "By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.", + "remediation": "Start the kubelet with the --anonymous-auth=false flag.", + "rules": [ + { + "guid": "", + "name": "anonymous-requests-to-kubelet-service-updated", + "attributes": { + "armoBuiltin": true, + "hostSensorRule": "true" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n#CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tcontains(command, \"--anonymous-auth\")\n\tcontains(command, \"--anonymous-auth=true\")\n\n\texternal_obj := json.filter(obj, [\"apiVersion\", \"data/cmdLine\", \"kind\", \"metadata\"])\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": external_obj},\n\t}\n}\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tnot contains(command, \"--config\")\n\n\texternal_obj := json.filter(obj, [\"apiVersion\", \"data/cmdLine\", \"kind\", \"metadata\"])\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": external_obj},\n\t}\n}\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tcontains(command, \"--config\")\n\n\tdecodedConfigContent := base64.decode(obj.data.configFile.content)\n\tyamlConfig := yaml.unmarshal(decodedConfigContent)\n\tnot yamlConfig.authentication.anonymous.enabled == false\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [\"authentication.anonymous.enabled\"],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": {\n\t\t\t\"apiVersion\": obj.apiVersion,\n\t\t\t\"kind\": obj.kind,\n\t\t\t\"metadata\": obj.metadata,\n\t\t\t\"data\": {\"configFile\": {\"content\": decodedConfigContent}},\n\t\t}},\n\t}\n}\n\n## Host sensor failed to get config file content\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tcontains(command, \"--config\")\n\n\tnot obj.data.configFile.content\n\n\tmsga := {\n\t\t\"alertMessage\": \"Failed to analyze config file\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": {\n\t\t\t\"apiVersion\": obj.apiVersion,\n\t\t\t\"kind\": obj.kind,\n\t\t\t\"data\": obj.data,\n\t\t}},\n\t}\n}\n\nis_kubelet_info(obj) {\n\tobj.kind == \"KubeletInfo\"\n\tobj.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "hostdata.kubescape.cloud" + ], + "apiVersions": [ + "v1beta0" + ], + "resources": [ + "KubeletInfo" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "Determines if anonymous requests to the kubelet service are allowed.", + "remediation": "Disable anonymous requests by setting the anonymous-auth flag to false, or using the kubelet configuration file.", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 10 + }, + "C-0070": { + "guid": "", + "name": "Enforce Kubelet client TLS authentication", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "node", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0070", + "creationTime": "", + "description": "Kubelets are the node level orchestrator in Kubernetes control plane. They are publishing service port 10250 where they accept commands from API server. Operator must make sure that only API server is allowed to submit commands to Kubelet. This is done through client certificate verification, must configure Kubelet with client CA file to use for this purpose.", + "remediation": "Start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with.", + "rules": [ + { + "guid": "", + "name": "enforce-kubelet-client-tls-authentication", + "attributes": { + "armoBuiltin": true, + "hostSensorRule": "true" + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.kubernetes.api.client as client\n\n# Both config and cli present\ndeny[msga] {\n\t\tkubelet_config := input[_]\n\t\tkubelet_config.kind == \"KubeletConfiguration\"\n\t\tkubelet_config.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\t\tkubelet_cli := input[_] \n\t\tkubelet_cli.kind == \"KubeletCommandLine\"\n\t\tkubelet_cli.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\t\tkubelet_cli_data := kubelet_cli.data\n\n\t\tresult := is_client_tls_disabled_both(kubelet_config, kubelet_cli_data)\n\t\texternal_obj := result.obj\n\t\tfailed_paths := result.failedPaths\n\t\tfixPaths := result.fixPaths\n\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": \"kubelet client TLS authentication is not enabled\",\n\t\t\t\"alertScore\": 2,\n\t\t\t\"failedPaths\": failed_paths,\n\t\t\t\"fixPaths\": fixPaths,\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [kubelet_config, kubelet_cli]\n\t\t\t},\n\t\t}\n\t}\n\n\n# Only of them present\ndeny[msga] {\n\t\tresult := is_client_tls_disabled_single(input)\n\t\texternal_obj := result.obj\n\t\tfailed_paths := result.failedPaths\n\t\tfixPaths := result.fixPaths\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": \"kubelet client TLS authentication is not enabled\",\n\t\t\t\"alertScore\": 2,\n\t\t\t\"failedPaths\": failed_paths,\n\t\t\t\"fixPaths\": fixPaths,\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [external_obj]\n\t\t\t},\n\t\t}\n\t}\n\n# CLI overrides config\nis_client_tls_disabled_both(kubelet_config, kubelet_cli_data) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": [{\"path\": \"data.authentication.x509.clientCAFile\", \"value\": \"YOUR_VALUE\"}]} {\n\tnot contains(kubelet_cli_data[\"fullCommand\"], \"client-ca-file\")\n not kubelet_config.data.authentication.x509.clientCAFile\n\tobj = kubelet_config\n}\n\n# Only cli\nis_client_tls_disabled_single(resources) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": []} {\n\tkubelet_cli := resources[_] \n\tkubelet_cli.kind == \"KubeletCommandLine\"\n\tkubelet_cli.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\tkubelet_config := [config | config = resources[_]; config.kind == \"KubeletConfiguration\"]\n\tcount(kubelet_config) == 0\n\n\tobj = isClientTlsDisabledCli(kubelet_cli)\n\t\n}\n\n# Only config\nis_client_tls_disabled_single(resources) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": [{\"path\": \"data.authentication.x509.clientCAFile\", \"value\": \"YOUR_VALUE\"}]} {\n\tkubelet_config := resources[_] \n\tkubelet_config.kind == \"KubeletConfiguration\"\n\tkubelet_config.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\tkubelet_cmd := [cmd | cmd = resources[_]; cmd.kind == \"KubeletCommandLine\"]\n\tcount(kubelet_cmd) == 0\n\n\tobj = is_Client_tls_disabled_config(kubelet_config)\n}\n\n\nis_Client_tls_disabled_config(kubelet_config) = obj {\n\tnot kubelet_config.data.authentication.x509.clientCAFile\n\tobj = kubelet_config\n}\n\nisClientTlsDisabledCli(kubelet_cli) = obj {\n\tkubelet_cli_data = kubelet_cli.data\n\tnot contains(kubelet_cli_data[\"fullCommand\"], \"client-ca-file\")\n\tobj = kubelet_cli\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "hostdata.kubescape.cloud" + ], + "apiVersions": [ + "v1beta0" + ], + "resources": [ + "KubeletConfiguration", + "KubeletCommandLine" + ] + } + ], + "ruleDependencies": [ + { + "packageName": "cautils" + }, + { + "packageName": "kubernetes.api.client" + } + ], + "configInputs": null, + "controlConfigInputs": null, + "description": "Determines if kubelet client tls authentication is enabled.", + "remediation": "Start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with.", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 9 + } + }, + "Frameworks": [ + "NSA" + ] + }, + "AllResources": { + "//ServiceAccount/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-loki": {}, + "//ServiceAccount/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-tsdb": {}, + "/armo-system/ServiceAccount/armo-scanner-service-account/rbac.authorization.k8s.io/v1//ClusterRole/armo-scanner-service-account-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/armo-scanner-service-account-role-binding": {}, + "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1//ClusterRole/castai-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/castai-agent": {}, + "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/Role/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/RoleBinding/castai-agent": {}, + "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-cainjector": {}, + "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager-cainjector:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager-cainjector:leaderelection": {}, + "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-webhook:subjectaccessreviews/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews": {}, + "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1/cert-manager/Role/cert-manager-webhook:dynamic-serving/rbac.authorization.k8s.io/v1/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-approve:cert-manager-io/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificates/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificates": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificatesigningrequests/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificatesigningrequests": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-challenges/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-challenges": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-clusterissuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-clusterissuers": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-ingress-shim/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-ingress-shim": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-issuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-issuers": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-orders/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-orders": {}, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager:leaderelection": {}, + "/cyberarmor-system/ServiceAccount/ca-controller-service-account/rbac.authorization.k8s.io/v1//ClusterRole/ca-controller-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-controller-role-binding": {}, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-crd": {}, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-deployment": {}, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-deployment": {}, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-crd": {}, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-storage": {}, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1/default/Role/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-storage-operator-rbac-storage": {}, + "/default/ServiceAccount/default/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-default/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-default": {}, + "/default/ServiceAccount/kubescape-sneeffer-service-account/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sneeffer-role-binding-container-profiling": {}, + "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher": {}, + "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1/groundcover/Role/alligator/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/alligator": {}, + "/groundcover/ServiceAccount/grafana/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": {}, + "/groundcover/ServiceAccount/groundcover-promscale/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": {}, + "/groundcover/ServiceAccount/groundcover-victoria-metrics-agent/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-agent-role/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-agent-rolebinding": {}, + "/groundcover/ServiceAccount/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-single": {}, + "/groundcover/ServiceAccount/k8s-watcher/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher": {}, + "/groundcover/ServiceAccount/migrator/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": {}, + "/groundcover/ServiceAccount/portal/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": {}, + "/kube-system/ServiceAccount/attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller": {}, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer": {}, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer": {}, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer": {}, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer": {}, + "/kube-system/ServiceAccount/certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:certificate-controller": {}, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1//ClusterRole/gce:cloud-provider/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:cloud-provider": {}, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/gce:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:cloud-provider": {}, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:cloud-provider": {}, + "/kube-system/ServiceAccount/clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:clusterrole-aggregation-controller": {}, + "/kube-system/ServiceAccount/cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:cronjob-controller": {}, + "/kube-system/ServiceAccount/daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:daemon-set-controller": {}, + "/kube-system/ServiceAccount/deployment-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:deployment-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:deployment-controller": {}, + "/kube-system/ServiceAccount/disruption-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:disruption-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:disruption-controller": {}, + "/kube-system/ServiceAccount/endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpoint-controller": {}, + "/kube-system/ServiceAccount/endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslice-controller": {}, + "/kube-system/ServiceAccount/endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslicemirroring-controller": {}, + "/kube-system/ServiceAccount/ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ephemeral-volume-controller": {}, + "/kube-system/ServiceAccount/event-exporter-sa/rbac.authorization.k8s.io/v1//ClusterRole/view/rbac.authorization.k8s.io/v1//ClusterRoleBinding/event-exporter-rb": {}, + "/kube-system/ServiceAccount/expand-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:expand-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:expand-controller": {}, + "/kube-system/ServiceAccount/generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:generic-garbage-collector": {}, + "/kube-system/ServiceAccount/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRole/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gke-metrics-agent": {}, + "/kube-system/ServiceAccount/horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:horizontal-pod-autoscaler": {}, + "/kube-system/ServiceAccount/job-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:job-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:job-controller": {}, + "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRole/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRoleBinding/konnectivity-agent-cpha": {}, + "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/Role/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/konnectivity-agent-cpha": {}, + "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager": {}, + "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election": {}, + "/kube-system/ServiceAccount/kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns-autoscaler": {}, + "/kube-system/ServiceAccount/kube-dns/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns": {}, + "/kube-system/ServiceAccount/kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-proxy": {}, + "/kube-system/ServiceAccount/kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler": {}, + "/kube-system/ServiceAccount/metadata-agent/rbac.authorization.k8s.io/v1//ClusterRole/stackdriver:metadata-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/stackdriver:metadata-agent": {}, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/metrics-server:system:auth-delegator": {}, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:metrics-server/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:metrics-server": {}, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/metrics-server-auth-reader": {}, + "/kube-system/ServiceAccount/namespace-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:namespace-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:namespace-controller": {}, + "/kube-system/ServiceAccount/node-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:node-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:node-controller": {}, + "/kube-system/ServiceAccount/persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:persistent-volume-binder": {}, + "/kube-system/ServiceAccount/pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pod-garbage-collector": {}, + "/kube-system/ServiceAccount/pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pv-protection-controller": {}, + "/kube-system/ServiceAccount/pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pvc-protection-controller": {}, + "/kube-system/ServiceAccount/replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replicaset-controller": {}, + "/kube-system/ServiceAccount/replication-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replication-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replication-controller": {}, + "/kube-system/ServiceAccount/resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:resourcequota-controller": {}, + "/kube-system/ServiceAccount/root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:root-ca-cert-publisher": {}, + "/kube-system/ServiceAccount/route-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:route-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:route-controller": {}, + "/kube-system/ServiceAccount/service-account-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-account-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-account-controller": {}, + "/kube-system/ServiceAccount/service-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-controller": {}, + "/kube-system/ServiceAccount/statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:statefulset-controller": {}, + "/kube-system/ServiceAccount/token-cleaner/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:token-cleaner/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:token-cleaner": {}, + "/kube-system/ServiceAccount/ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-after-finished-controller": {}, + "/kube-system/ServiceAccount/ttl-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-controller": {}, + "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1//ClusterRole/ks-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ks-sa-role-binding": {}, + "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1/kubescape/Role/ks-sa-roles/rbac.authorization.k8s.io/v1/kubescape/RoleBinding/ks-sa-role-binding": {}, + "/kubescape/ServiceAccount/kubescape-sa/rbac.authorization.k8s.io/v1//ClusterRole/kubescape-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sa-role-binding": {}, + "/v1//Namespace/backstage": {}, + "/v1//Namespace/castai-agent": {}, + "/v1//Namespace/cert-manager": {}, + "/v1//Namespace/default": {}, + "/v1//Namespace/groundcover": {}, + "/v1//Namespace/harbor": {}, + "/v1//Namespace/kube-node-lease": {}, + "/v1//Namespace/kube-public": {}, + "/v1//Namespace/kube-system": {}, + "/v1//Namespace/kubescape": {}, + "/v1//Namespace/mysql-demos": {}, + "/v1//Namespace/systest-ns-p7rn": {}, + "/v1//Namespace/test-vlun-ubuntu": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-0mjl": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-8q2q": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-cw39": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-gqix": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-rgbb": {}, + "/v1//Node/gke-cluster-mock-pool-2-65de223a-zesg": {}, + "/v1//Node/gke-cluster-mock-pool-3-005b69ef-l4ig": {}, + "/v1/backstage/ConfigMap/backstage-app-config": {}, + "/v1/backstage/ConfigMap/backstage-app-env": {}, + "/v1/backstage/ConfigMap/backstage-auth": {}, + "/v1/backstage/ConfigMap/backstage-lighthouse": {}, + "/v1/backstage/ConfigMap/backstage-postgres-ca": {}, + "/v1/backstage/ConfigMap/kube-root-ca.crt": {}, + "/v1/backstage/Pod/backstage-backend-5ffdfcf8db-8bfpg": {}, + "/v1/backstage/Pod/backstage-frontend-77b9d6fdb7-xqfxj": {}, + "/v1/backstage/Pod/backstage-lighthouse-549dfb8f45-whlcj": {}, + "/v1/backstage/Pod/backstage-postgresql-0": {}, + "/v1/backstage/ServiceAccount/default": {}, + "/v1/castai-agent/ConfigMap/castai-agent-autoscaler": {}, + "/v1/castai-agent/ConfigMap/kube-root-ca.crt": {}, + "/v1/castai-agent/Pod/castai-agent-cpvpa-84d84596b6-qcpsm": {}, + "/v1/castai-agent/ServiceAccount/castai-agent": {}, + "/v1/castai-agent/ServiceAccount/default": {}, + "/v1/cert-manager/ConfigMap/cert-manager-webhook": {}, + "/v1/cert-manager/ConfigMap/kube-root-ca.crt": {}, + "/v1/cert-manager/Pod/cert-manager-6b4d84674-2phwh": {}, + "/v1/cert-manager/Pod/cert-manager-cainjector-59f8d9f696-v65cv": {}, + "/v1/cert-manager/Pod/cert-manager-webhook-56889bfc96-z6lqk": {}, + "/v1/cert-manager/ServiceAccount/cert-manager": {}, + "/v1/cert-manager/ServiceAccount/cert-manager-cainjector": {}, + "/v1/cert-manager/ServiceAccount/cert-manager-webhook": {}, + "/v1/cert-manager/ServiceAccount/default": {}, + "/v1/default/ConfigMap/arangodb-operator-feature-config-map": {}, + "/v1/default/ConfigMap/kube-root-ca.crt": {}, + "/v1/default/ConfigMap/kubescape": {}, + "/v1/default/Pod/arango-deployment-operator-859c44db69-kfvkx": {}, + "/v1/default/Pod/arango-deployment-operator-859c44db69-lx989": {}, + "/v1/default/Pod/arango-storage-operator-9b4679bcf-qf775": {}, + "/v1/default/Pod/arango-storage-operator-9b4679bcf-xfxf4": {}, + "/v1/default/Pod/busybox": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2": {}, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2": {}, + "/v1/default/Pod/nginx-deployment-9456bbbf9-sfwd9": {}, + "/v1/default/Pod/nginx-deployment-9456bbbf9-sg2h6": {}, + "/v1/default/Pod/nginx-deployment-9456bbbf9-sq2fg": {}, + "/v1/default/ServiceAccount/arango-deployment-operator": {}, + "/v1/default/ServiceAccount/arango-storage-operator": {}, + "/v1/default/ServiceAccount/default": {}, + "/v1/default/ServiceAccount/mysql-sidecar-sa": {}, + "/v1/groundcover/ConfigMap/alligator-configuration": {}, + "/v1/groundcover/ConfigMap/alligator-scrape-configuration": {}, + "/v1/groundcover/ConfigMap/grafana-dashboards": {}, + "/v1/groundcover/ConfigMap/grafana-dashboards-provisioning": {}, + "/v1/groundcover/ConfigMap/grafana-datasources": {}, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-patroni": {}, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-pgbackrest": {}, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-scripts": {}, + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-agent-config": {}, + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-scrapeconfig": {}, + "/v1/groundcover/ConfigMap/k8s-watcher-config": {}, + "/v1/groundcover/ConfigMap/kube-root-ca.crt": {}, + "/v1/groundcover/ConfigMap/portal-config": {}, + "/v1/groundcover/ConfigMap/shepherd-config": {}, + "/v1/groundcover/ConfigMap/tracy-conf-fg9h4chctk": {}, + "/v1/groundcover/Pod/alligator-8hb2t": {}, + "/v1/groundcover/Pod/alligator-b64xx": {}, + "/v1/groundcover/Pod/alligator-bdrnm": {}, + "/v1/groundcover/Pod/alligator-hlbwk": {}, + "/v1/groundcover/Pod/alligator-hs2z6": {}, + "/v1/groundcover/Pod/alligator-mnrrf": {}, + "/v1/groundcover/Pod/alligator-tpz85": {}, + "/v1/groundcover/Pod/grafana-d88f9d644-4dvmb": {}, + "/v1/groundcover/Pod/groundcover-groundcover-loki-0": {}, + "/v1/groundcover/Pod/groundcover-groundcover-tsdb-0": {}, + "/v1/groundcover/Pod/groundcover-promscale-575757f98f-xl4lm": {}, + "/v1/groundcover/Pod/groundcover-victoria-metrics-0": {}, + "/v1/groundcover/Pod/groundcover-victoria-metrics-agent-64c79df6d4-scbtt": {}, + "/v1/groundcover/Pod/k8s-watcher-6f87446b4d-mp4mb": {}, + "/v1/groundcover/Pod/portal-7d9c7c584-gp7q7": {}, + "/v1/groundcover/Pod/shepherd-7f67c966fb-s4gfn": {}, + "/v1/groundcover/ServiceAccount/alligator": {}, + "/v1/groundcover/ServiceAccount/default": {}, + "/v1/groundcover/ServiceAccount/grafana": {}, + "/v1/groundcover/ServiceAccount/groundcover-groundcover-loki": {}, + "/v1/groundcover/ServiceAccount/groundcover-groundcover-tsdb": {}, + "/v1/groundcover/ServiceAccount/groundcover-promscale": {}, + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-agent": {}, + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-single": {}, + "/v1/groundcover/ServiceAccount/k8s-watcher": {}, + "/v1/groundcover/ServiceAccount/migrator": {}, + "/v1/groundcover/ServiceAccount/portal": {}, + "/v1/groundcover/ServiceAccount/shepherd": {}, + "/v1/harbor/ConfigMap/harbor-chartmuseum": {}, + "/v1/harbor/ConfigMap/harbor-core": {}, + "/v1/harbor/ConfigMap/harbor-jobservice": {}, + "/v1/harbor/ConfigMap/harbor-jobservice-env": {}, + "/v1/harbor/ConfigMap/harbor-portal": {}, + "/v1/harbor/ConfigMap/harbor-registry": {}, + "/v1/harbor/ConfigMap/harbor-registryctl": {}, + "/v1/harbor/ConfigMap/kube-root-ca.crt": {}, + "/v1/harbor/Pod/harbor-chartmuseum-fdb57b5dd-lchbx": {}, + "/v1/harbor/Pod/harbor-core-5c4874d64-7khzj": {}, + "/v1/harbor/Pod/harbor-database-0": {}, + "/v1/harbor/Pod/harbor-jobservice-c59667f55-t2rf5": {}, + "/v1/harbor/Pod/harbor-notary-server-6cf7c888c5-xskqg": {}, + "/v1/harbor/Pod/harbor-notary-signer-7b54b8cbfd-27jkf": {}, + "/v1/harbor/Pod/harbor-portal-6fdc5d74bf-jwxjl": {}, + "/v1/harbor/Pod/harbor-redis-0": {}, + "/v1/harbor/Pod/harbor-registry-6bddbf7649-xsbjx": {}, + "/v1/harbor/Pod/harbor-trivy-0": {}, + "/v1/harbor/ServiceAccount/default": {}, + "/v1/kube-node-lease/ConfigMap/kube-root-ca.crt": {}, + "/v1/kube-node-lease/ServiceAccount/default": {}, + "/v1/kube-public/ConfigMap/kube-root-ca.crt": {}, + "/v1/kube-public/ServiceAccount/default": {}, + "/v1/kube-system/ConfigMap/cluster-autoscaler-status": {}, + "/v1/kube-system/ConfigMap/cluster-kubestore": {}, + "/v1/kube-system/ConfigMap/clustermetrics": {}, + "/v1/kube-system/ConfigMap/extension-apiserver-authentication": {}, + "/v1/kube-system/ConfigMap/gke-common-webhook-heartbeat": {}, + "/v1/kube-system/ConfigMap/gke-common-webhook-lock": {}, + "/v1/kube-system/ConfigMap/ingress-gce-lock": {}, + "/v1/kube-system/ConfigMap/ingress-uid": {}, + "/v1/kube-system/ConfigMap/konnectivity-agent-autoscaler-config": {}, + "/v1/kube-system/ConfigMap/kube-dns": {}, + "/v1/kube-system/ConfigMap/kube-dns-autoscaler": {}, + "/v1/kube-system/ConfigMap/kube-root-ca.crt": {}, + "/v1/kube-system/ConfigMap/kubedns-config-images": {}, + "/v1/kube-system/ConfigMap/metadata-agent-config": {}, + "/v1/kube-system/ConfigMap/metrics-server-config": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-2lvpw": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-7ptgj": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-9r7r4": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-dchpw": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-p4bg5": {}, + "/v1/kube-system/Pod/konnectivity-agent-79486bdd68-thrh8": {}, + "/v1/kube-system/Pod/konnectivity-agent-autoscaler-566966775b-7t2hd": {}, + "/v1/kube-system/Pod/kube-dns-674789b66b-7rd27": {}, + "/v1/kube-system/Pod/kube-dns-674789b66b-p2j5c": {}, + "/v1/kube-system/Pod/kube-dns-autoscaler-fbc66b884-tx8wd": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-0mjl": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-8q2q": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-cw39": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-gqix": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-rgbb": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-zesg": {}, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-3-005b69ef-l4ig": {}, + "/v1/kube-system/Pod/l7-default-backend-6dc845c45d-bg5rc": {}, + "/v1/kube-system/Pod/metrics-server-v0.5.2-6fd865649-q9s2s": {}, + "/v1/kube-system/Pod/pdcsi-node-2rlrk": {}, + "/v1/kube-system/Pod/pdcsi-node-5ctlr": {}, + "/v1/kube-system/Pod/pdcsi-node-5rb82": {}, + "/v1/kube-system/Pod/pdcsi-node-9cbwp": {}, + "/v1/kube-system/Pod/pdcsi-node-gcdjb": {}, + "/v1/kube-system/Pod/pdcsi-node-pj2fn": {}, + "/v1/kube-system/Pod/pdcsi-node-qrxr9": {}, + "/v1/kube-system/ServiceAccount/attachdetach-controller": {}, + "/v1/kube-system/ServiceAccount/certificate-controller": {}, + "/v1/kube-system/ServiceAccount/cloud-provider": {}, + "/v1/kube-system/ServiceAccount/clusterrole-aggregation-controller": {}, + "/v1/kube-system/ServiceAccount/cronjob-controller": {}, + "/v1/kube-system/ServiceAccount/daemon-set-controller": {}, + "/v1/kube-system/ServiceAccount/default": {}, + "/v1/kube-system/ServiceAccount/deployment-controller": {}, + "/v1/kube-system/ServiceAccount/disruption-controller": {}, + "/v1/kube-system/ServiceAccount/endpoint-controller": {}, + "/v1/kube-system/ServiceAccount/endpointslice-controller": {}, + "/v1/kube-system/ServiceAccount/endpointslicemirroring-controller": {}, + "/v1/kube-system/ServiceAccount/ephemeral-volume-controller": {}, + "/v1/kube-system/ServiceAccount/event-exporter-sa": {}, + "/v1/kube-system/ServiceAccount/expand-controller": {}, + "/v1/kube-system/ServiceAccount/fluentbit-gke": {}, + "/v1/kube-system/ServiceAccount/generic-garbage-collector": {}, + "/v1/kube-system/ServiceAccount/gke-metrics-agent": {}, + "/v1/kube-system/ServiceAccount/job-controller": {}, + "/v1/kube-system/ServiceAccount/konnectivity-agent": {}, + "/v1/kube-system/ServiceAccount/konnectivity-agent-cpha": {}, + "/v1/kube-system/ServiceAccount/kube-dns": {}, + "/v1/kube-system/ServiceAccount/kube-dns-autoscaler": {}, + "/v1/kube-system/ServiceAccount/kube-proxy": {}, + "/v1/kube-system/ServiceAccount/metadata-agent": {}, + "/v1/kube-system/ServiceAccount/metadata-proxy": {}, + "/v1/kube-system/ServiceAccount/metrics-server": {}, + "/v1/kube-system/ServiceAccount/namespace-controller": {}, + "/v1/kube-system/ServiceAccount/node-controller": {}, + "/v1/kube-system/ServiceAccount/pdcsi-node-sa": {}, + "/v1/kube-system/ServiceAccount/persistent-volume-binder": {}, + "/v1/kube-system/ServiceAccount/pod-garbage-collector": {}, + "/v1/kube-system/ServiceAccount/pv-protection-controller": {}, + "/v1/kube-system/ServiceAccount/pvc-protection-controller": {}, + "/v1/kube-system/ServiceAccount/replicaset-controller": {}, + "/v1/kube-system/ServiceAccount/replication-controller": {}, + "/v1/kube-system/ServiceAccount/resourcequota-controller": {}, + "/v1/kube-system/ServiceAccount/root-ca-cert-publisher": {}, + "/v1/kube-system/ServiceAccount/service-account-controller": {}, + "/v1/kube-system/ServiceAccount/service-controller": {}, + "/v1/kube-system/ServiceAccount/statefulset-controller": {}, + "/v1/kube-system/ServiceAccount/ttl-after-finished-controller": {}, + "/v1/kube-system/ServiceAccount/ttl-controller": {}, + "/v1/kubescape/ConfigMap/host-scanner-definition": {}, + "/v1/kubescape/ConfigMap/ks-cloud-config": {}, + "/v1/kubescape/ConfigMap/kube-root-ca.crt": {}, + "/v1/kubescape/ConfigMap/kubescape-config": {}, + "/v1/kubescape/ConfigMap/kubescape-cronjob-template": {}, + "/v1/kubescape/ConfigMap/kubescape-scheduler": {}, + "/v1/kubescape/ConfigMap/kubevuln-cronjob-template": {}, + "/v1/kubescape/ConfigMap/kubevuln-scheduler": {}, + "/v1/kubescape/ConfigMap/otel-collector-config": {}, + "/v1/kubescape/ConfigMap/registry-scan-cronjob-template": {}, + "/v1/kubescape/Pod/gateway-6bf8c66fd4-46mx2": {}, + "/v1/kubescape/Pod/kollector-0": {}, + "/v1/kubescape/Pod/kubescape-6685bbcbbb-7cfm8": {}, + "/v1/kubescape/Pod/kubescape-scheduler-27964695-zfcdn": {}, + "/v1/kubescape/Pod/kubescape-scheduler-27966135-q6jf8": {}, + "/v1/kubescape/Pod/kubescape-scheduler-27967575-9swgz": {}, + "/v1/kubescape/Pod/kubevuln-78c5c7f67f-dm6vt": {}, + "/v1/kubescape/Pod/kubevuln-scheduler-27965414-jg2s4": {}, + "/v1/kubescape/Pod/kubevuln-scheduler-27966854-7psjx": {}, + "/v1/kubescape/Pod/kubevuln-scheduler-27968294-njg4n": {}, + "/v1/kubescape/Pod/operator-677c97d54f-gwm8k": {}, + "/v1/kubescape/ServiceAccount/default": {}, + "/v1/kubescape/ServiceAccount/ks-sa": {}, + "/v1/kubescape/ServiceAccount/kubescape-sa": {}, + "/v1/mysql-demos/Pod/mycluster-0": {}, + "/v1/systest-ns-p7rn/ConfigMap/kube-root-ca.crt": {}, + "/v1/systest-ns-p7rn/ServiceAccount/default": {}, + "/v1/test-vlun-ubuntu/ConfigMap/kube-root-ca.crt": {}, + "/v1/test-vlun-ubuntu/Pod/ubuntu-16-6989d75886-769cx": {}, + "/v1/test-vlun-ubuntu/Pod/ubuntu-latest-7dbdbb545b-smffz": {}, + "/v1/test-vlun-ubuntu/ServiceAccount/default": {}, + "apps/v1/backstage/Deployment/backstage-backend": {}, + "apps/v1/backstage/Deployment/backstage-frontend": {}, + "apps/v1/backstage/Deployment/backstage-lighthouse": {}, + "apps/v1/backstage/ReplicaSet/backstage-backend-5ffdfcf8db": {}, + "apps/v1/backstage/ReplicaSet/backstage-frontend-77b9d6fdb7": {}, + "apps/v1/backstage/ReplicaSet/backstage-lighthouse-549dfb8f45": {}, + "apps/v1/backstage/StatefulSet/backstage-postgresql": {}, + "apps/v1/castai-agent/Deployment/castai-agent-cpvpa": {}, + "apps/v1/castai-agent/ReplicaSet/castai-agent-cpvpa-84d84596b6": {}, + "apps/v1/cert-manager/Deployment/cert-manager": {}, + "apps/v1/cert-manager/Deployment/cert-manager-cainjector": {}, + "apps/v1/cert-manager/Deployment/cert-manager-webhook": {}, + "apps/v1/cert-manager/ReplicaSet/cert-manager-6b4d84674": {}, + "apps/v1/cert-manager/ReplicaSet/cert-manager-cainjector-59f8d9f696": {}, + "apps/v1/cert-manager/ReplicaSet/cert-manager-webhook-56889bfc96": {}, + "apps/v1/default/Deployment/arango-deployment-operator": {}, + "apps/v1/default/Deployment/arango-storage-operator": {}, + "apps/v1/default/Deployment/nginx-deployment": {}, + "apps/v1/default/ReplicaSet/arango-deployment-operator-859c44db69": {}, + "apps/v1/default/ReplicaSet/arango-storage-operator-9b4679bcf": {}, + "apps/v1/default/ReplicaSet/nginx-deployment-9456bbbf9": {}, + "apps/v1/groundcover/DaemonSet/alligator": {}, + "apps/v1/groundcover/Deployment/grafana": {}, + "apps/v1/groundcover/Deployment/groundcover-promscale": {}, + "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent": {}, + "apps/v1/groundcover/Deployment/k8s-watcher": {}, + "apps/v1/groundcover/Deployment/portal": {}, + "apps/v1/groundcover/Deployment/shepherd": {}, + "apps/v1/groundcover/ReplicaSet/grafana-d88f9d644": {}, + "apps/v1/groundcover/ReplicaSet/groundcover-promscale-575757f98f": {}, + "apps/v1/groundcover/ReplicaSet/groundcover-promscale-85997f487b": {}, + "apps/v1/groundcover/ReplicaSet/groundcover-victoria-metrics-agent-64c79df6d4": {}, + "apps/v1/groundcover/ReplicaSet/groundcover-victoria-metrics-agent-776dd65b9b": {}, + "apps/v1/groundcover/ReplicaSet/k8s-watcher-6f87446b4d": {}, + "apps/v1/groundcover/ReplicaSet/portal-7d9c7c584": {}, + "apps/v1/groundcover/ReplicaSet/shepherd-7f67c966fb": {}, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki": {}, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb": {}, + "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics": {}, + "apps/v1/harbor/Deployment/harbor-chartmuseum": {}, + "apps/v1/harbor/Deployment/harbor-core": {}, + "apps/v1/harbor/Deployment/harbor-jobservice": {}, + "apps/v1/harbor/Deployment/harbor-notary-server": {}, + "apps/v1/harbor/Deployment/harbor-notary-signer": {}, + "apps/v1/harbor/Deployment/harbor-portal": {}, + "apps/v1/harbor/Deployment/harbor-registry": {}, + "apps/v1/harbor/ReplicaSet/harbor-chartmuseum-fdb57b5dd": {}, + "apps/v1/harbor/ReplicaSet/harbor-core-5c4874d64": {}, + "apps/v1/harbor/ReplicaSet/harbor-jobservice-c59667f55": {}, + "apps/v1/harbor/ReplicaSet/harbor-notary-server-6cf7c888c5": {}, + "apps/v1/harbor/ReplicaSet/harbor-notary-signer-7b54b8cbfd": {}, + "apps/v1/harbor/ReplicaSet/harbor-portal-6fdc5d74bf": {}, + "apps/v1/harbor/ReplicaSet/harbor-registry-6bddbf7649": {}, + "apps/v1/harbor/StatefulSet/harbor-database": {}, + "apps/v1/harbor/StatefulSet/harbor-redis": {}, + "apps/v1/harbor/StatefulSet/harbor-trivy": {}, + "apps/v1/kube-system/DaemonSet/kube-proxy": {}, + "apps/v1/kube-system/DaemonSet/metadata-proxy-v0.1": {}, + "apps/v1/kube-system/DaemonSet/nccl-fastsocket-installer": {}, + "apps/v1/kube-system/DaemonSet/nvidia-gpu-device-plugin": {}, + "apps/v1/kube-system/DaemonSet/pdcsi-node": {}, + "apps/v1/kube-system/DaemonSet/pdcsi-node-windows": {}, + "apps/v1/kube-system/Deployment/konnectivity-agent": {}, + "apps/v1/kube-system/Deployment/konnectivity-agent-autoscaler": {}, + "apps/v1/kube-system/Deployment/kube-dns": {}, + "apps/v1/kube-system/Deployment/kube-dns-autoscaler": {}, + "apps/v1/kube-system/Deployment/l7-default-backend": {}, + "apps/v1/kube-system/Deployment/metrics-server-v0.5.2": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-5c87974869": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-5d944f784d": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-67b9847bc8": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-6d6949887f": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-78d544c7ff": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-79486bdd68": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-7c886949f5": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-89948b6b7": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-566966775b": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-5c49cb58bb": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6b86f667c9": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6cb774c9cc": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-6dfb4f9cfb": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-7fd5dd4f5": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-84559799b7": {}, + "apps/v1/kube-system/ReplicaSet/konnectivity-agent-autoscaler-ddccb8b95": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-56646bfd69": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-59844ff879": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-599484b884": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-674789b66b": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-6b85cc8b45": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-6c7b8dc9f9": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-758c7ff655": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-79c57c8c9b": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-7d774598cf": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-58cbd4f75c": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-844c9d9448": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-f4d55555": {}, + "apps/v1/kube-system/ReplicaSet/kube-dns-autoscaler-fbc66b884": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-5465dfc4ff": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-56cb9644f6": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-58fd4695c8": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6654b9bccb": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-66579f5d7": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-69fb9fd9f9": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6b99559c7d": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-6dc845c45d": {}, + "apps/v1/kube-system/ReplicaSet/l7-default-backend-865b4c8f8b": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-596b8679b7": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-6fd865649": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-7945948f4b": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-866bc7fbf8": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-86b46dfdc4": {}, + "apps/v1/kube-system/ReplicaSet/metrics-server-v0.5.2-9b67f66b8": {}, + "apps/v1/kubescape/Deployment/gateway": {}, + "apps/v1/kubescape/Deployment/kubescape": {}, + "apps/v1/kubescape/Deployment/kubevuln": {}, + "apps/v1/kubescape/Deployment/operator": {}, + "apps/v1/kubescape/ReplicaSet/gateway-6bf8c66fd4": {}, + "apps/v1/kubescape/ReplicaSet/kubescape-6685bbcbbb": {}, + "apps/v1/kubescape/ReplicaSet/kubevuln-78c5c7f67f": {}, + "apps/v1/kubescape/ReplicaSet/operator-677c97d54f": {}, + "apps/v1/kubescape/StatefulSet/kollector": {}, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16": {}, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest": {}, + "apps/v1/test-vlun-ubuntu/ReplicaSet/ubuntu-16-6989d75886": {}, + "apps/v1/test-vlun-ubuntu/ReplicaSet/ubuntu-latest-7dbdbb545b": {}, + "armo.rbac.com/v0beta1//SA2WLIDmap/": {}, + "armo.rbac.com/v0beta1//SAID2WLIDmap/": {}, + "batch/v1/kubescape/CronJob/kubescape-scheduler": {}, + "batch/v1/kubescape/CronJob/kubevuln-scheduler": {}, + "batch/v1/kubescape/Job/kubescape-scheduler-27964695": {}, + "batch/v1/kubescape/Job/kubescape-scheduler-27966135": {}, + "batch/v1/kubescape/Job/kubescape-scheduler-27967575": {}, + "batch/v1/kubescape/Job/kubevuln-scheduler-27965414": {}, + "batch/v1/kubescape/Job/kubevuln-scheduler-27966854": {}, + "batch/v1/kubescape/Job/kubevuln-scheduler-27968294": {}, + "container.googleapis.com/v1/ClusterDescribe/cluster-mock": { + "apiVersion": "container.googleapis.com/v1", + "kind": "ClusterDescribe", + "metadata": { + "name": "cluster-mock", + "provider": "gke" + }, + "data": { + "addons_config": { + "dns_cache_config": {}, + "gce_persistent_disk_csi_driver_config": { + "enabled": true + }, + "horizontal_pod_autoscaling": {}, + "http_load_balancing": {}, + "kubernetes_dashboard": { + "disabled": true + }, + "network_policy_config": { + "disabled": true + } + }, + "authenticator_groups_config": {}, + "autoscaling": { + "autoscaling_profile": 2 + }, + "cluster_ipv4_cidr": "10.36.0.0/14", + "create_time": "2021-07-07T05:42:10+00:00", + "current_master_version": "1.24.9-gke.3200", + "current_node_count": 7, + "current_node_version": "1.24.9-gke.3200", + "database_encryption": { + "state": 2 + }, + "default_max_pods_constraint": { + "max_pods_per_node": 110 + }, + "endpoint": "35.202.27.228", + "id": "a609d8f1a06a4e5187840bcc0ee710e5764c3aac8fed42b9a5ef4ca66d192250", + "initial_cluster_version": "1.19.9-gke.1900", + "instance_group_urls": [ + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-default-pool-d450b024-grp", + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-1-c2dcad5d-grp", + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-2-65de223a-grp", + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-3-005b69ef-grp" + ], + "ip_allocation_policy": { + "cluster_ipv4_cidr": "10.36.0.0/14", + "cluster_ipv4_cidr_block": "10.36.0.0/14", + "cluster_secondary_range_name": "gke-cluster-mock-pods-a609d8f1", + "services_ipv4_cidr": "10.40.0.0/20", + "services_ipv4_cidr_block": "10.40.0.0/20", + "services_secondary_range_name": "gke-cluster-mock-services-a609d8f1", + "stack_type": 1, + "use_ip_aliases": true + }, + "label_fingerprint": "a9dc16a7", + "legacy_abac": {}, + "location": "us-central1-c", + "locations": [ + "us-central1-c" + ], + "logging_config": { + "component_config": {} + }, + "logging_service": "none", + "maintenance_policy": { + "resource_version": "e3b0c442" + }, + "master_auth": { + "cluster_ca_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhLZ0F3SUJBZ0lRQjRJcmN0NFVaS1huTHcvME9aWWpaREFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlSbFpEZzJPVE5pWWkwME5UWmlMVFJsT1dFdE9UTTNaQzB3WlRsa09ESmhObVkwTUdRdwpIaGNOTWpFd056QTNNRFEwTWpFd1doY05Nall3TnpBMk1EVTBNakV3V2pBdk1TMHdLd1lEVlFRREV5UmxaRGcyCk9UTmlZaTAwTlRaaUxUUmxPV0V0T1RNM1pDMHdaVGxrT0RKaE5tWTBNR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNjNjMycnh0ekdWUDRJNzNJQXQzOVVBRkxKSGY2ckR2cXdKRDYrQlB6MwpKcHc4ZUt5clVISGdSTWJKNExUVE5XV000N2tDb1FDOVJUbzFJVGtVcS96a1dKY0pEL0swZWRRR004SitLZGYwCmgrUzJNTzEyNDRxTmlrNDlKcy92UldOWmNMZEJoaDlpWHpIenl6WDVzQnc4VEVpbkZtY1Y5dFdmTXJ5ZGlzSXoKSlRPdkhRVVhUNjJsR0hRbkZKbXIzYWhvS3lKY3FGbytsTER3bzdQbU5JaUhzMnZ1djRDTEJXV1FXOG1wcW9kYQpZZ2lncEJvYVQ5OHBTMmZZTXFGbUJGMkJxL0VyTWJPYnptYkoxdWlJcnhMa2NTS2NIbVI4ZWU4MXk3L1Qyb2R6CjI4UmYwdGJ6L21lckpZRE1iU1hkYkVzYUpsL3c5M3RCQ3puQ0FrOE9ZWGFoQWdNQkFBR2pRakJBTUE0R0ExVWQKRHdFQi93UUVBd0lDQkRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRSmR4eG5HN1JUYWpoTgpHYXV4VHU0WFpDREMyVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZEs4ZWg5dWo3TEJVQXhEbTdiNDl4azJuCkVqS2d2NXY5ZVUxUk5LOStHbFJvTjRiWmJLVHJqbjg4SE9sV0l5MjFGdldlVHgvdXpCenFub1V2Y3lxSk0velgKS2w0cGJOaENUd3dCQnR0WGtTcmwvcU9pSEVHcTJRbThjQ1BLL1QrNm5tU3RqZW1ZY09meVJtOVVJajBqS2RCego4WEZzQytIYXYzYkMrSjV1MlE1NGV3a3dhMUMzTk9lL2NFaDVpb3JjcXd0aEltOUQrS0wwYjRwVW1XMUhHdUUvCnhqclNDalFFK0U4QktodTNtUzZZUEk4S25CaDhrOE1PeXpGN0pMY3VaMHltcElFTUhaaEJ4aFlHN1Z5VjdZMG8KMkc3TEQ1SFZnazJ3QzdzMVNKQmdvdmZOb2YyOXJBYXlweWd2K1R3YitNTzV6YklhNHkxaWc4OG1tcnhtMFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" + }, + "master_authorized_networks_config": {}, + "monitoring_config": { + "component_config": {} + }, + "monitoring_service": "none", + "name": "cluster-mock", + "network": "default", + "network_config": { + "datapath_provider": 1, + "default_snat_status": {}, + "network": "projects/elated-pottery-310110/global/networks/default", + "service_external_ips_config": { + "enabled": true + }, + "subnetwork": "projects/elated-pottery-310110/regions/us-central1/subnetworks/default" + }, + "node_config": { + "disk_size_gb": 100, + "disk_type": "pd-standard", + "image_type": "COS_CONTAINERD", + "machine_type": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauth_scopes": [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/trace.append" + ], + "service_account": "default", + "shielded_instance_config": { + "enable_integrity_monitoring": true + } + }, + "node_pool_defaults": { + "node_config_defaults": {} + }, + "node_pools": [ + { + "autoscaling": {}, + "config": { + "disk_size_gb": 100, + "disk_type": "pd-standard", + "image_type": "COS_CONTAINERD", + "machine_type": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauth_scopes": [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/trace.append" + ], + "service_account": "default", + "shielded_instance_config": { + "enable_integrity_monitoring": true + } + }, + "instance_group_urls": [ + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-default-pool-d450b024-grp" + ], + "locations": [ + "us-central1-c" + ], + "management": { + "auto_repair": true, + "auto_upgrade": true + }, + "max_pods_constraint": { + "max_pods_per_node": 110 + }, + "name": "default-pool", + "network_config": { + "pod_ipv4_cidr_block": "10.36.0.0/14", + "pod_range": "gke-cluster-mock-pods-a609d8f1" + }, + "pod_ipv4_cidr_size": 24, + "self_link": "https://container.googleapis.com/v1/projects/elated-pottery-310110/zones/us-central1-c/clusters/cluster-mock/nodePools/default-pool", + "status": 2, + "upgrade_settings": { + "max_surge": 1, + "strategy": 3 + }, + "version": "1.24.9-gke.3200" + }, + { + "autoscaling": {}, + "config": { + "disk_size_gb": 100, + "disk_type": "pd-standard", + "image_type": "COS_CONTAINERD", + "machine_type": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauth_scopes": [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/trace.append" + ], + "service_account": "default", + "shielded_instance_config": { + "enable_integrity_monitoring": true + } + }, + "instance_group_urls": [ + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-1-c2dcad5d-grp" + ], + "locations": [ + "us-central1-c" + ], + "management": { + "auto_repair": true, + "auto_upgrade": true + }, + "max_pods_constraint": { + "max_pods_per_node": 110 + }, + "name": "pool-1", + "network_config": { + "pod_ipv4_cidr_block": "10.36.0.0/14", + "pod_range": "gke-cluster-mock-pods-a609d8f1" + }, + "pod_ipv4_cidr_size": 24, + "self_link": "https://container.googleapis.com/v1/projects/elated-pottery-310110/zones/us-central1-c/clusters/cluster-mock/nodePools/pool-1", + "status": 2, + "upgrade_settings": { + "max_surge": 1, + "strategy": 3 + }, + "version": "1.24.9-gke.3200" + }, + { + "autoscaling": {}, + "config": { + "disk_size_gb": 100, + "disk_type": "pd-standard", + "image_type": "COS_CONTAINERD", + "machine_type": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauth_scopes": [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/trace.append" + ], + "service_account": "default", + "shielded_instance_config": { + "enable_integrity_monitoring": true + } + }, + "initial_node_count": 6, + "instance_group_urls": [ + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-2-65de223a-grp" + ], + "locations": [ + "us-central1-c" + ], + "management": { + "auto_repair": true, + "auto_upgrade": true + }, + "max_pods_constraint": { + "max_pods_per_node": 110 + }, + "name": "pool-2", + "network_config": { + "pod_ipv4_cidr_block": "10.36.0.0/14", + "pod_range": "gke-cluster-mock-pods-a609d8f1" + }, + "pod_ipv4_cidr_size": 24, + "self_link": "https://container.googleapis.com/v1/projects/elated-pottery-310110/zones/us-central1-c/clusters/cluster-mock/nodePools/pool-2", + "status": 2, + "upgrade_settings": { + "max_surge": 1, + "strategy": 3 + }, + "version": "1.24.9-gke.3200" + }, + { + "autoscaling": {}, + "config": { + "disk_size_gb": 100, + "disk_type": "pd-standard", + "image_type": "COS_CONTAINERD", + "machine_type": "e2-standard-2", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauth_scopes": [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/trace.append" + ], + "service_account": "default", + "shielded_instance_config": { + "enable_integrity_monitoring": true + } + }, + "initial_node_count": 1, + "instance_group_urls": [ + "https://www.googleapis.com/compute/v1/projects/elated-pottery-310110/zones/us-central1-c/instanceGroupManagers/gke-cluster-mock-pool-3-005b69ef-grp" + ], + "locations": [ + "us-central1-c" + ], + "management": { + "auto_repair": true, + "auto_upgrade": true + }, + "max_pods_constraint": { + "max_pods_per_node": 110 + }, + "name": "pool-3", + "network_config": { + "pod_ipv4_cidr_block": "10.36.0.0/14", + "pod_range": "gke-cluster-mock-pods-a609d8f1" + }, + "pod_ipv4_cidr_size": 24, + "self_link": "https://container.googleapis.com/v1/projects/elated-pottery-310110/zones/us-central1-c/clusters/cluster-mock/nodePools/pool-3", + "status": 2, + "upgrade_settings": { + "max_surge": 1, + "strategy": 3 + }, + "version": "1.24.9-gke.3200" + } + ], + "notification_config": { + "pubsub": {} + }, + "release_channel": { + "channel": 2 + }, + "self_link": "https://container.googleapis.com/v1/projects/elated-pottery-310110/zones/us-central1-c/clusters/cluster-mock", + "services_ipv4_cidr": "10.40.0.0/20", + "shielded_nodes": { + "enabled": true + }, + "status": 2, + "subnetwork": "default", + "zone": "us-central1-c" + } + }, + "policy/v1beta1//PodSecurityPolicy/gce.gke-metrics-agent": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover-alligator": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-loki": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-tsdb": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-agent": {}, + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-single": {}, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:basic-user/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:basic-user": {}, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:discovery": {}, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer": {}, + "rbac.authorization.k8s.io//Group/system:masters/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-admin": {}, + "rbac.authorization.k8s.io//Group/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRole/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:monitoring": {}, + "rbac.authorization.k8s.io//Group/system:nodes/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-rotation/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-rotation": {}, + "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/mysql-operator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/mysql-operator-rolebinding": {}, + "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/system:service-account-issuer-discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:service-account-issuer-discovery": {}, + "rbac.authorization.k8s.io//Group/system:unauthenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer": {}, + "rbac.authorization.k8s.io//User/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/read-updateinfo/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler-updateinfo": {}, + "rbac.authorization.k8s.io//User/kube-apiserver/rbac.authorization.k8s.io/v1//ClusterRole/kubelet-api-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kube-apiserver-kubelet-api-admin": {}, + "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-certificate-bootstrap": {}, + "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-node-bootstrapper": {}, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-bootstrap": {}, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap": {}, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-user-npd-binding": {}, + "rbac.authorization.k8s.io//User/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRole/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:clustermetrics": {}, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:glbc": {}, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status": {}, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:glbc": {}, + "rbac.authorization.k8s.io//User/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gcp-controller-manager": {}, + "rbac.authorization.k8s.io//User/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-common-webhooks": {}, + "rbac.authorization.k8s.io//User/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-healthcheck": {}, + "rbac.authorization.k8s.io//User/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-resourcequota": {}, + "rbac.authorization.k8s.io//User/system:konnectivity-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:konnectivity-server": {}, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-controller-manager": {}, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader": {}, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager": {}, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election": {}, + "rbac.authorization.k8s.io//User/system:kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node-proxier": {}, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-scheduler": {}, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:volume-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:volume-scheduler": {}, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader": {}, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler": {}, + "rbac.authorization.k8s.io//User/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kubestore-collector": {}, + "rbac.authorization.k8s.io//User/system:l7-lb-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status": {}, + "rbac.authorization.k8s.io//User/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:managed-certificate-controller": {}, + "rbac.authorization.k8s.io//User/system:master-prom-to-sd-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:master-monitoring-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/master-monitoring-role-binding": {}, + "rbac.authorization.k8s.io//User/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/npd-binding": {}, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-attacher-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-attacher-binding": {}, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-provisioner-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-provisioner-binding": {}, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-resizer-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-resizer-binding": {}, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-snapshotter-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-snapshotter-binding": {}, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1/kube-system/Role/pdcsi-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/pdcsi-leaderelection-binding": {}, + "rbac.authorization.k8s.io//User/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRole/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:resource-tracker": {}, + "rbac.authorization.k8s.io//User/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:slo-monitor": {}, + "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1//ClusterRole/snapshot-controller-runner/rbac.authorization.k8s.io/v1//ClusterRoleBinding/snapshot-controller-role": {}, + "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1/kube-system/Role/snapshot-controller-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/snapshot-controller-leaderelection": {}, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-migrator-v2": {}, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-crd-creator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-crd-creator": {}, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-initializer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-initializer": {}, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-trigger/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-trigger": {}, + "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/ca-cr-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-cr": {}, + "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/external-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/uas-hpa-external-metrics-reader": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-hpa-controller": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-controller": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-actor": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-service-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-service-reader": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-collection-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-collection-reader": {}, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-metrics-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-crd": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-deployment": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-crd": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-storage": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/armo-scanner-service-account-roles": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/ca-controller-roles": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/ca-cr-actor": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/castai-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-cainjector": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-approve:cert-manager-io": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificates": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificatesigningrequests": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-challenges": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-clusterissuers": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-ingress-shim": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-issuers": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-orders": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-edit": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-view": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-webhook:subjectaccessreviews": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cloud-provider": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/cluster-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/edit": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/external-metrics-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-rotation": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/gce:cloud-provider": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/gke-metrics-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/konnectivity-agent-cpha": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/ks-sa-roles": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/kubelet-api-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/kubescape-sa-roles": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/mysql-operator": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/mysql-sidecar": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-attacher-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-provisioner-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-resizer-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-snapshotter-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/read-updateinfo": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/snapshot-controller-runner": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/stackdriver:metadata-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-crd-creator": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-initializer": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-trigger": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-edit": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:aggregate-to-view": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:basic-user": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kube-apiserver-client-approver": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kube-apiserver-client-kubelet-approver": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:kubelet-serving-approver": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:certificates.k8s.io:legacy-unknown-approver": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:clustermetrics": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:certificate-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:clusterrole-aggregation-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:cronjob-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:daemon-set-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:deployment-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:disruption-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpoint-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslice-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslicemirroring-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ephemeral-volume-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:expand-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:generic-garbage-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:glbc": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:job-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:namespace-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:node-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:persistent-volume-binder": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pod-garbage-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pv-protection-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pvc-protection-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replicaset-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replication-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:resourcequota-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:root-ca-cert-publisher": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:route-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-account-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:statefulset-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-after-finished-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:discovery": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gcp-controller-manager": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-common-webhooks": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-actor": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-service-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-healthcheck": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-resourcequota": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-collection-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-metrics-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:heapster": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-aggregator": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-controller-manager": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kube-scheduler": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kubelet-api-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:kubestore-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:managed-certificate-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:master-monitoring-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:metrics-server": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:monitoring": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:node": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:persistent-volume-provisioner": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:resource-tracker": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:service-account-issuer-discovery": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:slo-monitor": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/system:volume-scheduler": {}, + "rbac.authorization.k8s.io/v1//ClusterRole/view": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-crd": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-deployment": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-crd": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-storage": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/armo-scanner-service-account-role-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-controller-role-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-cr": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/castai-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-cainjector": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificates": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificatesigningrequests": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-challenges": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-clusterissuers": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-ingress-shim": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-issuers": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-orders": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler-updateinfo": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/event-exporter-rb": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-bootstrap": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-rotation": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:cloud-provider": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/gke-metrics-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/konnectivity-agent-cpha": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/ks-sa-role-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kube-apiserver-kubelet-api-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-certificate-bootstrap": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-node-bootstrapper": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-cluster-admin": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-user-npd-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sa-role-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sneeffer-role-binding-container-profiling": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/master-monitoring-role-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/metrics-server:system:auth-delegator": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/mysql-operator-rolebinding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/npd-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-attacher-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-provisioner-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-resizer-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-snapshotter-binding": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/snapshot-controller-role": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/stackdriver:metadata-agent": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-crd-creator": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-initializer": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-migrator-v2": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-trigger": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:basic-user": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:clustermetrics": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:certificate-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:clusterrole-aggregation-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:cronjob-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:daemon-set-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:deployment-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:disruption-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpoint-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslice-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslicemirroring-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ephemeral-volume-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:expand-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:generic-garbage-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:glbc": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:horizontal-pod-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:job-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:namespace-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:node-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:persistent-volume-binder": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pod-garbage-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pv-protection-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pvc-protection-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replicaset-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replication-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:resourcequota-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:root-ca-cert-publisher": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:route-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-account-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:statefulset-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-after-finished-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:discovery": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gcp-controller-manager": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-common-webhooks": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-actor": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-service-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-healthcheck": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-resourcequota": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-collection-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-hpa-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-metrics-reader": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:konnectivity-server": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-controller-manager": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns-autoscaler": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-proxy": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-scheduler": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kubestore-collector": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:managed-certificate-controller": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:metrics-server": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:monitoring": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node-proxier": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:resource-tracker": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:service-account-issuer-discovery": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:slo-monitor": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:volume-scheduler": {}, + "rbac.authorization.k8s.io/v1//ClusterRoleBinding/uas-hpa-external-metrics-reader": {}, + "rbac.authorization.k8s.io/v1/castai-agent/Role/castai-agent": {}, + "rbac.authorization.k8s.io/v1/castai-agent/RoleBinding/castai-agent": {}, + "rbac.authorization.k8s.io/v1/cert-manager/Role/cert-manager-webhook:dynamic-serving": {}, + "rbac.authorization.k8s.io/v1/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving": {}, + "rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-default": {}, + "rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-deployment": {}, + "rbac.authorization.k8s.io/v1/default/Role/arango-storage-operator-rbac-storage": {}, + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-default": {}, + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-deployment": {}, + "rbac.authorization.k8s.io/v1/default/RoleBinding/arango-storage-operator-rbac-storage": {}, + "rbac.authorization.k8s.io/v1/default/RoleBinding/read-pods": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/alligator": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-loki": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-tsdb": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-agent-role": {}, + "rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-single": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/alligator": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-loki": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-tsdb": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-agent-rolebinding": {}, + "rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-single": {}, + "rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer": {}, + "rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager-cainjector:leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager:leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/cloud-provider": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/gce:cloud-provider": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/konnectivity-agent-cpha": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/pdcsi-leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/snapshot-controller-leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:cloud-provider": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:glbc": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:token-cleaner": {}, + "rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager-cainjector:leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager:leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:cloud-provider": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:podsecuritypolicy:pdcsi-node-sa": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/konnectivity-agent-cpha": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/metrics-server-auth-reader": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/pdcsi-leaderelection-binding": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/snapshot-controller-leaderelection": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:cloud-provider": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:glbc": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:token-cleaner": {}, + "rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election": {}, + "rbac.authorization.k8s.io/v1/kubescape/Role/ks-sa-roles": {}, + "rbac.authorization.k8s.io/v1/kubescape/RoleBinding/ks-sa-role-binding": {} + }, + "ResourcesResult": { + "//ServiceAccount/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-loki": { + "resourceID": "//ServiceAccount/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-loki/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-loki", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "//ServiceAccount/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-tsdb": { + "resourceID": "//ServiceAccount/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-groundcover-tsdb/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-groundcover-tsdb", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/armo-system/ServiceAccount/armo-scanner-service-account/rbac.authorization.k8s.io/v1//ClusterRole/armo-scanner-service-account-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/armo-scanner-service-account-role-binding": { + "resourceID": "/armo-system/ServiceAccount/armo-scanner-service-account/rbac.authorization.k8s.io/v1//ClusterRole/armo-scanner-service-account-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/armo-scanner-service-account-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1//ClusterRole/castai-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/castai-agent": { + "resourceID": "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1//ClusterRole/castai-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/castai-agent", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/Role/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/RoleBinding/castai-agent": { + "resourceID": "/castai-agent/ServiceAccount/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/Role/castai-agent/rbac.authorization.k8s.io/v1/castai-agent/RoleBinding/castai-agent", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-cainjector": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-cainjector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-cainjector", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager-cainjector:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager-cainjector:leaderelection": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager-cainjector/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager-cainjector:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager-cainjector:leaderelection", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-webhook:subjectaccessreviews/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-webhook:subjectaccessreviews/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1/cert-manager/Role/cert-manager-webhook:dynamic-serving/rbac.authorization.k8s.io/v1/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager-webhook/rbac.authorization.k8s.io/v1/cert-manager/Role/cert-manager-webhook:dynamic-serving/rbac.authorization.k8s.io/v1/cert-manager/RoleBinding/cert-manager-webhook:dynamic-serving", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-approve:cert-manager-io/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-approve:cert-manager-io/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificates/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificates": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificates/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificates", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificatesigningrequests/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificatesigningrequests": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-certificatesigningrequests/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-certificatesigningrequests", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-challenges/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-challenges": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-challenges/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-challenges", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-clusterissuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-clusterissuers": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-clusterissuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-clusterissuers", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-ingress-shim/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-ingress-shim": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-ingress-shim/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-ingress-shim", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-issuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-issuers": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-issuers/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-issuers", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-orders/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-orders": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1//ClusterRole/cert-manager-controller-orders/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cert-manager-controller-orders", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager:leaderelection": { + "resourceID": "/cert-manager/ServiceAccount/cert-manager/rbac.authorization.k8s.io/v1/kube-system/Role/cert-manager:leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/cert-manager:leaderelection", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/cyberarmor-system/ServiceAccount/ca-controller-service-account/rbac.authorization.k8s.io/v1//ClusterRole/ca-controller-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-controller-role-binding": { + "resourceID": "/cyberarmor-system/ServiceAccount/ca-controller-service-account/rbac.authorization.k8s.io/v1//ClusterRole/ca-controller-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-controller-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-crd": { + "resourceID": "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-crd", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-deployment": { + "resourceID": "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-deployment-operator-rbac-deployment", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-deployment": { + "resourceID": "/default/ServiceAccount/arango-deployment-operator/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-deployment/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-deployment", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-crd": { + "resourceID": "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-crd/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-crd", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-storage": { + "resourceID": "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1//ClusterRole/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1//ClusterRoleBinding/arango-storage-operator-rbac-storage", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1/default/Role/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-storage-operator-rbac-storage": { + "resourceID": "/default/ServiceAccount/arango-storage-operator/rbac.authorization.k8s.io/v1/default/Role/arango-storage-operator-rbac-storage/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-storage-operator-rbac-storage", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/default/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-default/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-default": { + "resourceID": "/default/ServiceAccount/default/rbac.authorization.k8s.io/v1/default/Role/arango-deployment-operator-rbac-default/rbac.authorization.k8s.io/v1/default/RoleBinding/arango-deployment-operator-rbac-default", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/default/ServiceAccount/kubescape-sneeffer-service-account/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sneeffer-role-binding-container-profiling": { + "resourceID": "/default/ServiceAccount/kubescape-sneeffer-service-account/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sneeffer-role-binding-container-profiling", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher": { + "resourceID": "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1/groundcover/Role/alligator/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/alligator": { + "resourceID": "/groundcover/ServiceAccount/alligator/rbac.authorization.k8s.io/v1/groundcover/Role/alligator/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/alligator", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/grafana/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": { + "resourceID": "/groundcover/ServiceAccount/grafana/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/groundcover-promscale/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": { + "resourceID": "/groundcover/ServiceAccount/groundcover-promscale/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/groundcover-victoria-metrics-agent/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-agent-role/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-agent-rolebinding": { + "resourceID": "/groundcover/ServiceAccount/groundcover-victoria-metrics-agent/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-agent-role/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-agent-rolebinding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-single": { + "resourceID": "/groundcover/ServiceAccount/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover-victoria-metrics-single/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover-victoria-metrics-single", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/k8s-watcher/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher": { + "resourceID": "/groundcover/ServiceAccount/k8s-watcher/rbac.authorization.k8s.io/v1//ClusterRole/groundcover-groundcover-metadata-fetcher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/groundcover-groundcover-metadata-fetcher", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/migrator/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": { + "resourceID": "/groundcover/ServiceAccount/migrator/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/groundcover/ServiceAccount/portal/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover": { + "resourceID": "/groundcover/ServiceAccount/portal/rbac.authorization.k8s.io/v1/groundcover/Role/groundcover/rbac.authorization.k8s.io/v1/groundcover/RoleBinding/groundcover", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller": { + "resourceID": "/kube-system/ServiceAccount/attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer": { + "resourceID": "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer": { + "resourceID": "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer": { + "resourceID": "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-public/RoleBinding/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer": { + "resourceID": "/kube-system/ServiceAccount/bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:bootstrap-signer/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:bootstrap-signer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:certificate-controller": { + "resourceID": "/kube-system/ServiceAccount/certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:certificate-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1//ClusterRole/gce:cloud-provider/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:cloud-provider": { + "resourceID": "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1//ClusterRole/gce:cloud-provider/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:cloud-provider", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/gce:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:cloud-provider": { + "resourceID": "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/gce:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/gce:cloud-provider", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:cloud-provider": { + "resourceID": "/kube-system/ServiceAccount/cloud-provider/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:cloud-provider/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:cloud-provider", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:clusterrole-aggregation-controller": { + "resourceID": "/kube-system/ServiceAccount/clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:clusterrole-aggregation-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:cronjob-controller": { + "resourceID": "/kube-system/ServiceAccount/cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:cronjob-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:cronjob-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:daemon-set-controller": { + "resourceID": "/kube-system/ServiceAccount/daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:daemon-set-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:daemon-set-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/deployment-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:deployment-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:deployment-controller": { + "resourceID": "/kube-system/ServiceAccount/deployment-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:deployment-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:deployment-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/disruption-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:disruption-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:disruption-controller": { + "resourceID": "/kube-system/ServiceAccount/disruption-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:disruption-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:disruption-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpoint-controller": { + "resourceID": "/kube-system/ServiceAccount/endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpoint-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpoint-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslice-controller": { + "resourceID": "/kube-system/ServiceAccount/endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslice-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslice-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslicemirroring-controller": { + "resourceID": "/kube-system/ServiceAccount/endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:endpointslicemirroring-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:endpointslicemirroring-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ephemeral-volume-controller": { + "resourceID": "/kube-system/ServiceAccount/ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ephemeral-volume-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ephemeral-volume-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/event-exporter-sa/rbac.authorization.k8s.io/v1//ClusterRole/view/rbac.authorization.k8s.io/v1//ClusterRoleBinding/event-exporter-rb": { + "resourceID": "/kube-system/ServiceAccount/event-exporter-sa/rbac.authorization.k8s.io/v1//ClusterRole/view/rbac.authorization.k8s.io/v1//ClusterRoleBinding/event-exporter-rb", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/expand-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:expand-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:expand-controller": { + "resourceID": "/kube-system/ServiceAccount/expand-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:expand-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:expand-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:generic-garbage-collector": { + "resourceID": "/kube-system/ServiceAccount/generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:generic-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:generic-garbage-collector", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRole/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gke-metrics-agent": { + "resourceID": "/kube-system/ServiceAccount/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRole/gke-metrics-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gke-metrics-agent", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:horizontal-pod-autoscaler": { + "resourceID": "/kube-system/ServiceAccount/horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:horizontal-pod-autoscaler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/job-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:job-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:job-controller": { + "resourceID": "/kube-system/ServiceAccount/job-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:job-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:job-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRole/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRoleBinding/konnectivity-agent-cpha": { + "resourceID": "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRole/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1//ClusterRoleBinding/konnectivity-agent-cpha", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/Role/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/konnectivity-agent-cpha": { + "resourceID": "/kube-system/ServiceAccount/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/Role/konnectivity-agent-cpha/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/konnectivity-agent-cpha", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager": { + "resourceID": "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election": { + "resourceID": "/kube-system/ServiceAccount/kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns-autoscaler": { + "resourceID": "/kube-system/ServiceAccount/kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns-autoscaler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-dns/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns": { + "resourceID": "/kube-system/ServiceAccount/kube-dns/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-dns/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-dns", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-proxy": { + "resourceID": "/kube-system/ServiceAccount/kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-proxy", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler": { + "resourceID": "/kube-system/ServiceAccount/kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/metadata-agent/rbac.authorization.k8s.io/v1//ClusterRole/stackdriver:metadata-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/stackdriver:metadata-agent": { + "resourceID": "/kube-system/ServiceAccount/metadata-agent/rbac.authorization.k8s.io/v1//ClusterRole/stackdriver:metadata-agent/rbac.authorization.k8s.io/v1//ClusterRoleBinding/stackdriver:metadata-agent", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/metrics-server:system:auth-delegator": { + "resourceID": "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/metrics-server:system:auth-delegator", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:metrics-server/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:metrics-server": { + "resourceID": "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1//ClusterRole/system:metrics-server/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:metrics-server", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/metrics-server-auth-reader": { + "resourceID": "/kube-system/ServiceAccount/metrics-server/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/metrics-server-auth-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/namespace-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:namespace-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:namespace-controller": { + "resourceID": "/kube-system/ServiceAccount/namespace-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:namespace-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:namespace-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/node-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:node-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:node-controller": { + "resourceID": "/kube-system/ServiceAccount/node-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:node-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:node-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:persistent-volume-binder": { + "resourceID": "/kube-system/ServiceAccount/persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:persistent-volume-binder/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:persistent-volume-binder", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pod-garbage-collector": { + "resourceID": "/kube-system/ServiceAccount/pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pod-garbage-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pod-garbage-collector", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pv-protection-controller": { + "resourceID": "/kube-system/ServiceAccount/pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pv-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pv-protection-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pvc-protection-controller": { + "resourceID": "/kube-system/ServiceAccount/pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:pvc-protection-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:pvc-protection-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replicaset-controller": { + "resourceID": "/kube-system/ServiceAccount/replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replicaset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replicaset-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/replication-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replication-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replication-controller": { + "resourceID": "/kube-system/ServiceAccount/replication-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:replication-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:replication-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:resourcequota-controller": { + "resourceID": "/kube-system/ServiceAccount/resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:resourcequota-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:resourcequota-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:root-ca-cert-publisher": { + "resourceID": "/kube-system/ServiceAccount/root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:root-ca-cert-publisher/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:root-ca-cert-publisher", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/route-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:route-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:route-controller": { + "resourceID": "/kube-system/ServiceAccount/route-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:route-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:route-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/service-account-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-account-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-account-controller": { + "resourceID": "/kube-system/ServiceAccount/service-account-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-account-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-account-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/service-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-controller": { + "resourceID": "/kube-system/ServiceAccount/service-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:service-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:service-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:statefulset-controller": { + "resourceID": "/kube-system/ServiceAccount/statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:statefulset-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:statefulset-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/token-cleaner/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:token-cleaner/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:token-cleaner": { + "resourceID": "/kube-system/ServiceAccount/token-cleaner/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:token-cleaner/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:token-cleaner", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-after-finished-controller": { + "resourceID": "/kube-system/ServiceAccount/ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-after-finished-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-after-finished-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kube-system/ServiceAccount/ttl-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-controller": { + "resourceID": "/kube-system/ServiceAccount/ttl-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:ttl-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:ttl-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1//ClusterRole/ks-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ks-sa-role-binding": { + "resourceID": "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1//ClusterRole/ks-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ks-sa-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1/kubescape/Role/ks-sa-roles/rbac.authorization.k8s.io/v1/kubescape/RoleBinding/ks-sa-role-binding": { + "resourceID": "/kubescape/ServiceAccount/ks-sa/rbac.authorization.k8s.io/v1/kubescape/Role/ks-sa-roles/rbac.authorization.k8s.io/v1/kubescape/RoleBinding/ks-sa-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/kubescape/ServiceAccount/kubescape-sa/rbac.authorization.k8s.io/v1//ClusterRole/kubescape-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sa-role-binding": { + "resourceID": "/kubescape/ServiceAccount/kubescape-sa/rbac.authorization.k8s.io/v1//ClusterRole/kubescape-sa-roles/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-sa-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/backstage": { + "resourceID": "/v1//Namespace/backstage", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/castai-agent": { + "resourceID": "/v1//Namespace/castai-agent", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/cert-manager": { + "resourceID": "/v1//Namespace/cert-manager", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/default": { + "resourceID": "/v1//Namespace/default", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "internal-networking", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-default-namespace-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1//Namespace/groundcover": { + "resourceID": "/v1//Namespace/groundcover", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/harbor": { + "resourceID": "/v1//Namespace/harbor", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/kube-node-lease": { + "resourceID": "/v1//Namespace/kube-node-lease", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "internal-networking", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1//Namespace/kube-public": { + "resourceID": "/v1//Namespace/kube-public", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "internal-networking", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1//Namespace/kube-system": { + "resourceID": "/v1//Namespace/kube-system", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "internal-networking", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-namespaces-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1//Namespace/kubescape": { + "resourceID": "/v1//Namespace/kubescape", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/mysql-demos": { + "resourceID": "/v1//Namespace/mysql-demos", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/systest-ns-p7rn": { + "resourceID": "/v1//Namespace/systest-ns-p7rn", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1//Namespace/test-vlun-ubuntu": { + "resourceID": "/v1//Namespace/test-vlun-ubuntu", + "controls": [ + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/backstage-app-config": { + "resourceID": "/v1/backstage/ConfigMap/backstage-app-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/backstage-app-env": { + "resourceID": "/v1/backstage/ConfigMap/backstage-app-env", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/backstage-auth": { + "resourceID": "/v1/backstage/ConfigMap/backstage-auth", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "", + "paths": [ + { + "failedPath": "data[AUTH_OAUTH2_TOKEN_URL]", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/backstage-lighthouse": { + "resourceID": "/v1/backstage/ConfigMap/backstage-lighthouse", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/backstage-postgres-ca": { + "resourceID": "/v1/backstage/ConfigMap/backstage-postgres-ca", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/backstage/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/backstage/ServiceAccount/default": { + "resourceID": "/v1/backstage/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/castai-agent/ConfigMap/castai-agent-autoscaler": { + "resourceID": "/v1/castai-agent/ConfigMap/castai-agent-autoscaler", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/castai-agent/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/castai-agent/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/castai-agent/ServiceAccount/castai-agent": { + "resourceID": "/v1/castai-agent/ServiceAccount/castai-agent", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/castai-agent/ServiceAccount/default": { + "resourceID": "/v1/castai-agent/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/cert-manager/ConfigMap/cert-manager-webhook": { + "resourceID": "/v1/cert-manager/ConfigMap/cert-manager-webhook", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/cert-manager/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/cert-manager/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/cert-manager/ServiceAccount/cert-manager": { + "resourceID": "/v1/cert-manager/ServiceAccount/cert-manager", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/cert-manager/ServiceAccount/cert-manager-cainjector": { + "resourceID": "/v1/cert-manager/ServiceAccount/cert-manager-cainjector", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/cert-manager/ServiceAccount/cert-manager-webhook": { + "resourceID": "/v1/cert-manager/ServiceAccount/cert-manager-webhook", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/cert-manager/ServiceAccount/default": { + "resourceID": "/v1/cert-manager/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/ConfigMap/arangodb-operator-feature-config-map": { + "resourceID": "/v1/default/ConfigMap/arangodb-operator-feature-config-map", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "", + "paths": [ + { + "failedPath": "data[DEPLOYMENT_FEATURE_JWT_ROTATION]", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/default/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/default/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/default/ConfigMap/kubescape": { + "resourceID": "/v1/default/ConfigMap/kubescape", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "data[secretKey]", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-default-namespace-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kubescape", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/busybox": { + "resourceID": "/v1/default/Pod/busybox", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/ServiceAccount/arango-deployment-operator": { + "resourceID": "/v1/default/ServiceAccount/arango-deployment-operator", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/ServiceAccount/arango-storage-operator": { + "resourceID": "/v1/default/ServiceAccount/arango-storage-operator", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/default/ServiceAccount/default": { + "resourceID": "/v1/default/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-default-namespace-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/default/ServiceAccount/mysql-sidecar-sa": { + "resourceID": "/v1/default/ServiceAccount/mysql-sidecar-sa", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/alligator-configuration": { + "resourceID": "/v1/groundcover/ConfigMap/alligator-configuration", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/alligator-scrape-configuration": { + "resourceID": "/v1/groundcover/ConfigMap/alligator-scrape-configuration", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/grafana-dashboards": { + "resourceID": "/v1/groundcover/ConfigMap/grafana-dashboards", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/grafana-dashboards-provisioning": { + "resourceID": "/v1/groundcover/ConfigMap/grafana-dashboards-provisioning", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/grafana-datasources": { + "resourceID": "/v1/groundcover/ConfigMap/grafana-datasources", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-patroni": { + "resourceID": "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-patroni", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-pgbackrest": { + "resourceID": "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-pgbackrest", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-scripts": { + "resourceID": "/v1/groundcover/ConfigMap/groundcover-groundcover-tsdb-scripts", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-agent-config": { + "resourceID": "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-agent-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-scrapeconfig": { + "resourceID": "/v1/groundcover/ConfigMap/groundcover-victoria-metrics-scrapeconfig", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/k8s-watcher-config": { + "resourceID": "/v1/groundcover/ConfigMap/k8s-watcher-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/groundcover/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/portal-config": { + "resourceID": "/v1/groundcover/ConfigMap/portal-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/shepherd-config": { + "resourceID": "/v1/groundcover/ConfigMap/shepherd-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ConfigMap/tracy-conf-fg9h4chctk": { + "resourceID": "/v1/groundcover/ConfigMap/tracy-conf-fg9h4chctk", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/alligator": { + "resourceID": "/v1/groundcover/ServiceAccount/alligator", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/default": { + "resourceID": "/v1/groundcover/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/grafana": { + "resourceID": "/v1/groundcover/ServiceAccount/grafana", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/groundcover-groundcover-loki": { + "resourceID": "/v1/groundcover/ServiceAccount/groundcover-groundcover-loki", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/groundcover-groundcover-tsdb": { + "resourceID": "/v1/groundcover/ServiceAccount/groundcover-groundcover-tsdb", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/groundcover-promscale": { + "resourceID": "/v1/groundcover/ServiceAccount/groundcover-promscale", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-agent": { + "resourceID": "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-agent", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-single": { + "resourceID": "/v1/groundcover/ServiceAccount/groundcover-victoria-metrics-single", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/k8s-watcher": { + "resourceID": "/v1/groundcover/ServiceAccount/k8s-watcher", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/migrator": { + "resourceID": "/v1/groundcover/ServiceAccount/migrator", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/portal": { + "resourceID": "/v1/groundcover/ServiceAccount/portal", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/groundcover/ServiceAccount/shepherd": { + "resourceID": "/v1/groundcover/ServiceAccount/shepherd", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-chartmuseum": { + "resourceID": "/v1/harbor/ConfigMap/harbor-chartmuseum", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-core": { + "resourceID": "/v1/harbor/ConfigMap/harbor-core", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "", + "paths": [ + { + "failedPath": "data[REGISTRY_CREDENTIAL_USERNAME]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "data[TOKEN_SERVICE_URL]", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-jobservice": { + "resourceID": "/v1/harbor/ConfigMap/harbor-jobservice", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-jobservice-env": { + "resourceID": "/v1/harbor/ConfigMap/harbor-jobservice-env", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "", + "paths": [ + { + "failedPath": "data[REGISTRY_CREDENTIAL_USERNAME]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "data[TOKEN_SERVICE_URL]", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-portal": { + "resourceID": "/v1/harbor/ConfigMap/harbor-portal", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-registry": { + "resourceID": "/v1/harbor/ConfigMap/harbor-registry", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/harbor-registryctl": { + "resourceID": "/v1/harbor/ConfigMap/harbor-registryctl", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/harbor/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/harbor/ServiceAccount/default": { + "resourceID": "/v1/harbor/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/kube-node-lease/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/kube-node-lease/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-node-lease/ServiceAccount/default": { + "resourceID": "/v1/kube-node-lease/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-public/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/kube-public/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-public/ServiceAccount/default": { + "resourceID": "/v1/kube-public/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/cluster-autoscaler-status": { + "resourceID": "/v1/kube-system/ConfigMap/cluster-autoscaler-status", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/cluster-kubestore": { + "resourceID": "/v1/kube-system/ConfigMap/cluster-kubestore", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/clustermetrics": { + "resourceID": "/v1/kube-system/ConfigMap/clustermetrics", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/extension-apiserver-authentication": { + "resourceID": "/v1/kube-system/ConfigMap/extension-apiserver-authentication", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/gke-common-webhook-heartbeat": { + "resourceID": "/v1/kube-system/ConfigMap/gke-common-webhook-heartbeat", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/gke-common-webhook-lock": { + "resourceID": "/v1/kube-system/ConfigMap/gke-common-webhook-lock", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/ingress-gce-lock": { + "resourceID": "/v1/kube-system/ConfigMap/ingress-gce-lock", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/ingress-uid": { + "resourceID": "/v1/kube-system/ConfigMap/ingress-uid", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/konnectivity-agent-autoscaler-config": { + "resourceID": "/v1/kube-system/ConfigMap/konnectivity-agent-autoscaler-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/kube-dns": { + "resourceID": "/v1/kube-system/ConfigMap/kube-dns", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/kube-dns-autoscaler": { + "resourceID": "/v1/kube-system/ConfigMap/kube-dns-autoscaler", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/kube-system/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/kubedns-config-images": { + "resourceID": "/v1/kube-system/ConfigMap/kubedns-config-images", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/metadata-agent-config": { + "resourceID": "/v1/kube-system/ConfigMap/metadata-agent-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/ConfigMap/metrics-server-config": { + "resourceID": "/v1/kube-system/ConfigMap/metrics-server-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-0mjl": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-0mjl", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-8q2q": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-8q2q", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-cw39": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-cw39", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-gqix": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-gqix", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-rgbb": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-rgbb", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-zesg": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-2-65de223a-zesg", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-3-005b69ef-l4ig": { + "resourceID": "/v1/kube-system/Pod/kube-proxy-gke-cluster-mock-pool-3-005b69ef-l4ig", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/attachdetach-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/attachdetach-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "attachdetach-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/certificate-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/certificate-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "certificate-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/cloud-provider": { + "resourceID": "/v1/kube-system/ServiceAccount/cloud-provider", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-49", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/clusterrole-aggregation-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/clusterrole-aggregation-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "clusterrole-aggregation-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/cronjob-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/cronjob-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-32", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cronjob-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/daemon-set-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/daemon-set-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "daemon-set-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/default": { + "resourceID": "/v1/kube-system/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/deployment-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/deployment-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-25", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "deployment-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/disruption-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/disruption-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-35", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "disruption-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/endpoint-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/endpoint-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpoint-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/endpointslice-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/endpointslice-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslice-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/endpointslicemirroring-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/endpointslicemirroring-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslicemirroring-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/ephemeral-volume-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/ephemeral-volume-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ephemeral-volume-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/event-exporter-sa": { + "resourceID": "/v1/kube-system/ServiceAccount/event-exporter-sa", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-87", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "event-exporter-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/expand-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/expand-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "expand-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/fluentbit-gke": { + "resourceID": "/v1/kube-system/ServiceAccount/fluentbit-gke", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-89", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "fluentbit-gke", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/generic-garbage-collector": { + "resourceID": "/v1/kube-system/ServiceAccount/generic-garbage-collector", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "generic-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/gke-metrics-agent": { + "resourceID": "/v1/kube-system/ServiceAccount/gke-metrics-agent", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-84", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "gke-metrics-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/job-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/job-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-23", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "job-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/konnectivity-agent": { + "resourceID": "/v1/kube-system/ServiceAccount/konnectivity-agent", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-aks-kube-system-sa-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/konnectivity-agent-cpha": { + "resourceID": "/v1/kube-system/ServiceAccount/konnectivity-agent-cpha", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-38", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent-cpha", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/kube-dns": { + "resourceID": "/v1/kube-system/ServiceAccount/kube-dns", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-71", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/kube-dns-autoscaler": { + "resourceID": "/v1/kube-system/ServiceAccount/kube-dns-autoscaler", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-78", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/kube-proxy": { + "resourceID": "/v1/kube-system/ServiceAccount/kube-proxy", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/metadata-agent": { + "resourceID": "/v1/kube-system/ServiceAccount/metadata-agent", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/metadata-proxy": { + "resourceID": "/v1/kube-system/ServiceAccount/metadata-proxy", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-80", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metadata-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/metrics-server": { + "resourceID": "/v1/kube-system/ServiceAccount/metrics-server", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-eks-resources-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/namespace-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/namespace-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "namespace-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/node-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/node-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-21", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/pdcsi-node-sa": { + "resourceID": "/v1/kube-system/ServiceAccount/pdcsi-node-sa", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-90", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pdcsi-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/persistent-volume-binder": { + "resourceID": "/v1/kube-system/ServiceAccount/persistent-volume-binder", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-27", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "persistent-volume-binder", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/pod-garbage-collector": { + "resourceID": "/v1/kube-system/ServiceAccount/pod-garbage-collector", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-36", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pod-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/pv-protection-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/pv-protection-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pv-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/pvc-protection-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/pvc-protection-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pvc-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/replicaset-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/replicaset-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replicaset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/replication-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/replication-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replication-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/resourcequota-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/resourcequota-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "resourcequota-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/root-ca-cert-publisher": { + "resourceID": "/v1/kube-system/ServiceAccount/root-ca-cert-publisher", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "root-ca-cert-publisher", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/service-account-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/service-account-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-account-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/service-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/service-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/statefulset-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/statefulset-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "statefulset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/ttl-after-finished-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/ttl-after-finished-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-37", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-after-finished-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kube-system/ServiceAccount/ttl-controller": { + "resourceID": "/v1/kube-system/ServiceAccount/ttl-controller", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kube-system-service-accounts-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/host-scanner-definition": { + "resourceID": "/v1/kubescape/ConfigMap/host-scanner-definition", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/ks-cloud-config": { + "resourceID": "/v1/kubescape/ConfigMap/ks-cloud-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/kubescape/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kubescape-config": { + "resourceID": "/v1/kubescape/ConfigMap/kubescape-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kubescape-cronjob-template": { + "resourceID": "/v1/kubescape/ConfigMap/kubescape-cronjob-template", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kubescape-scheduler": { + "resourceID": "/v1/kubescape/ConfigMap/kubescape-scheduler", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kubevuln-cronjob-template": { + "resourceID": "/v1/kubescape/ConfigMap/kubevuln-cronjob-template", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/kubevuln-scheduler": { + "resourceID": "/v1/kubescape/ConfigMap/kubevuln-scheduler", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/otel-collector-config": { + "resourceID": "/v1/kubescape/ConfigMap/otel-collector-config", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ConfigMap/registry-scan-cronjob-template": { + "resourceID": "/v1/kubescape/ConfigMap/registry-scan-cronjob-template", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ServiceAccount/default": { + "resourceID": "/v1/kubescape/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/kubescape/ServiceAccount/ks-sa": { + "resourceID": "/v1/kubescape/ServiceAccount/ks-sa", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/v1/kubescape/ServiceAccount/kubescape-sa": { + "resourceID": "/v1/kubescape/ServiceAccount/kubescape-sa", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "/v1/systest-ns-p7rn/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/systest-ns-p7rn/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/systest-ns-p7rn/ServiceAccount/default": { + "resourceID": "/v1/systest-ns-p7rn/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "/v1/test-vlun-ubuntu/ConfigMap/kube-root-ca.crt": { + "resourceID": "/v1/test-vlun-ubuntu/ConfigMap/kube-root-ca.crt", + "controls": [ + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-configmap", + "status": "skipped", + "subStatus": "" + } + ] + } + ] + }, + "/v1/test-vlun-ubuntu/ServiceAccount/default": { + "resourceID": "/v1/test-vlun-ubuntu/ServiceAccount/default", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/backstage/Deployment/backstage-backend": { + "resourceID": "apps/v1/backstage/Deployment/backstage-backend", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/backstage/Deployment/backstage-frontend": { + "resourceID": "apps/v1/backstage/Deployment/backstage-frontend", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/backstage/Deployment/backstage-lighthouse": { + "resourceID": "apps/v1/backstage/Deployment/backstage-lighthouse", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/backstage/StatefulSet/backstage-postgresql": { + "resourceID": "apps/v1/backstage/StatefulSet/backstage-postgresql", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].env[10].name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/castai-agent/Deployment/castai-agent-cpvpa": { + "resourceID": "apps/v1/castai-agent/Deployment/castai-agent-cpvpa", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/cert-manager/Deployment/cert-manager": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/cert-manager/Deployment/cert-manager-cainjector": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager-cainjector", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/cert-manager/Deployment/cert-manager-webhook": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager-webhook", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/default/Deployment/arango-deployment-operator": { + "resourceID": "apps/v1/default/Deployment/arango-deployment-operator", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/default/Deployment/arango-storage-operator": { + "resourceID": "apps/v1/default/Deployment/arango-storage-operator", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/default/Deployment/nginx-deployment": { + "resourceID": "apps/v1/default/Deployment/nginx-deployment", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/DaemonSet/alligator": { + "resourceID": "apps/v1/groundcover/DaemonSet/alligator", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.hostPID", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "failed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.capabilities.add[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "spec.template.spec.containers[0].securityContext.capabilities.add[1]", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.capabilities.add[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/grafana": { + "resourceID": "apps/v1/groundcover/Deployment/grafana", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].env[0].name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "f682fe50-976d-47e9-a321-f353c525835c", + "name": "exception_C-0012_groundcover_7bbf9e504042cd1c045358c732dea82e", + "attributes": { + "namespaceOnly": "true" + }, + "updatedTime": "2023-01-24T09:14:34Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T09:14:34Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "namespace": "groundcover" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/groundcover-promscale": { + "resourceID": "apps/v1/groundcover/Deployment/groundcover-promscale", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].env[2].name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "04aeaa34-659f-46f4-ad94-5196ce57a442", + "name": "exception_C-0012_groundcover-promscale_1c76b9c76feb9b55cf88fcbd0aa50bec", + "updatedTime": "2023-01-24T09:14:27Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T09:14:27Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "kind": "Deployment", + "name": "groundcover-promscale", + "namespace": "groundcover" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "f682fe50-976d-47e9-a321-f353c525835c", + "name": "exception_C-0012_groundcover_7bbf9e504042cd1c045358c732dea82e", + "attributes": { + "namespaceOnly": "true" + }, + "updatedTime": "2023-01-24T09:14:34Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T09:14:34Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "namespace": "groundcover" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent": { + "resourceID": "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/k8s-watcher": { + "resourceID": "apps/v1/groundcover/Deployment/k8s-watcher", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/portal": { + "resourceID": "apps/v1/groundcover/Deployment/portal", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/Deployment/shepherd": { + "resourceID": "apps/v1/groundcover/Deployment/shepherd", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "spec.template.spec.automountServiceAccountToken", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-chartmuseum": { + "resourceID": "apps/v1/harbor/Deployment/harbor-chartmuseum", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-core": { + "resourceID": "apps/v1/harbor/Deployment/harbor-core", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-jobservice": { + "resourceID": "apps/v1/harbor/Deployment/harbor-jobservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-notary-server": { + "resourceID": "apps/v1/harbor/Deployment/harbor-notary-server", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-notary-signer": { + "resourceID": "apps/v1/harbor/Deployment/harbor-notary-signer", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-portal": { + "resourceID": "apps/v1/harbor/Deployment/harbor-portal", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/Deployment/harbor-registry": { + "resourceID": "apps/v1/harbor/Deployment/harbor-registry", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/StatefulSet/harbor-database": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-database", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/StatefulSet/harbor-redis": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-redis", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/harbor/StatefulSet/harbor-trivy": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-trivy", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/kube-proxy": { + "resourceID": "apps/v1/kube-system/DaemonSet/kube-proxy", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/metadata-proxy-v0.1": { + "resourceID": "apps/v1/kube-system/DaemonSet/metadata-proxy-v0.1", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/nccl-fastsocket-installer": { + "resourceID": "apps/v1/kube-system/DaemonSet/nccl-fastsocket-installer", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.hostPID", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/nvidia-gpu-device-plugin": { + "resourceID": "apps/v1/kube-system/DaemonSet/nvidia-gpu-device-plugin", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/pdcsi-node": { + "resourceID": "apps/v1/kube-system/DaemonSet/pdcsi-node", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "spec.template.spec.containers[1].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/DaemonSet/pdcsi-node-windows": { + "resourceID": "apps/v1/kube-system/DaemonSet/pdcsi-node-windows", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/konnectivity-agent": { + "resourceID": "apps/v1/kube-system/Deployment/konnectivity-agent", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/konnectivity-agent-autoscaler": { + "resourceID": "apps/v1/kube-system/Deployment/konnectivity-agent-autoscaler", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/kube-dns": { + "resourceID": "apps/v1/kube-system/Deployment/kube-dns", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.memory", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[2].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[2].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[2].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[2].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[2].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/kube-dns-autoscaler": { + "resourceID": "apps/v1/kube-system/Deployment/kube-dns-autoscaler", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/l7-default-backend": { + "resourceID": "apps/v1/kube-system/Deployment/l7-default-backend", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kube-system/Deployment/metrics-server-v0.5.2": { + "resourceID": "apps/v1/kube-system/Deployment/metrics-server-v0.5.2", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[1].resources.limits.cpu", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-gke-kube-system-resources-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kubescape/Deployment/gateway": { + "resourceID": "apps/v1/kubescape/Deployment/gateway", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kubescape/Deployment/kubescape": { + "resourceID": "apps/v1/kubescape/Deployment/kubescape", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kubescape/Deployment/kubevuln": { + "resourceID": "apps/v1/kubescape/Deployment/kubevuln", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kubescape/Deployment/operator": { + "resourceID": "apps/v1/kubescape/Deployment/operator", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/kubescape/StatefulSet/kollector": { + "resourceID": "apps/v1/kubescape/StatefulSet/kollector", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "passed", + "subStatus": "w/exceptions", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16": { + "resourceID": "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest": { + "resourceID": "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "batch/v1/kubescape/CronJob/kubescape-scheduler": { + "resourceID": "batch/v1/kubescape/CronJob/kubescape-scheduler", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "batch/v1/kubescape/CronJob/kubevuln-scheduler": { + "resourceID": "batch/v1/kubescape/CronJob/kubevuln-scheduler", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-network-access", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "resource-policies", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "container-hostPort", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": { + "status": "passed" + }, + "rules": [ + { + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ] + }, + "name": "insecure-capabilities", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "automount-service-account", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "rules": [ + { + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + }, + "name": "rule-credentials-in-env-var", + "status": "skipped", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + } + ] + }, + "container.googleapis.com/v1/ClusterDescribe/cluster-mock": { + "resourceID": "container.googleapis.com/v1/ClusterDescribe/cluster-mock", + "controls": [ + { + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "k8s-audit-logs-enabled-cloud", + "status": "failed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0068", + "name": "PSP enabled", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "psp-enabled-cloud", + "status": "failed", + "subStatus": "", + "paths": [ + { + "fixPath": { + "path": "", + "value": "" + }, + "fixCommand": "gcloud beta container clusters update \u003ccluster_name\u003e --enable-pod-security-policy" + } + ] + } + ] + }, + { + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": { + "status": "failed" + }, + "rules": [ + { + "name": "secret-etcd-encryption-cloud", + "status": "failed", + "subStatus": "", + "paths": [ + { + "failedPath": "data.database_encryption.state", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "fixPath": { + "path": "", + "value": "" + }, + "fixCommand": "gcloud container clusters update \u003ccluster_name\u003e --region=\u003ccompute_region\u003e --database-encryption-key=\u003ckey_project_id\u003e/locations/\u003clocation\u003e/keyRings/\u003cring_name\u003e/cryptoKeys/\u003ckey_name\u003e --project=\u003ccluster_project_id\u003e" + } + ] + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/gce.gke-metrics-agent": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/gce.gke-metrics-agent", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover-alligator": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover-alligator", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-loki": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-loki", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-tsdb": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover-groundcover-tsdb", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-agent": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-agent", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-single": { + "resourceID": "policy/v1beta1//PodSecurityPolicy/groundcover-victoria-metrics-single", + "controls": [ + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:basic-user/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:basic-user": { + "resourceID": "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:basic-user/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:basic-user", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:discovery": { + "resourceID": "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:discovery", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer": { + "resourceID": "rbac.authorization.k8s.io//Group/system:authenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:masters/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-admin": { + "resourceID": "rbac.authorization.k8s.io//Group/system:masters/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-admin", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-system-users-and-groups-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-61", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-system-users-and-groups-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-61", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRole/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:monitoring": { + "resourceID": "rbac.authorization.k8s.io//Group/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRole/system:monitoring/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:monitoring", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:nodes/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-rotation/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-rotation": { + "resourceID": "rbac.authorization.k8s.io//Group/system:nodes/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-rotation/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-rotation", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/mysql-operator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/mysql-operator-rolebinding": { + "resourceID": "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/mysql-operator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/mysql-operator-rolebinding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/system:service-account-issuer-discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:service-account-issuer-discovery": { + "resourceID": "rbac.authorization.k8s.io//Group/system:serviceaccounts/rbac.authorization.k8s.io/v1//ClusterRole/system:service-account-issuer-discovery/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:service-account-issuer-discovery", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//Group/system:unauthenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer": { + "resourceID": "rbac.authorization.k8s.io//Group/system:unauthenticated/rbac.authorization.k8s.io/v1//ClusterRole/system:public-info-viewer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:public-info-viewer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/read-updateinfo/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler-updateinfo": { + "resourceID": "rbac.authorization.k8s.io//User/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/read-updateinfo/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler-updateinfo", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kube-apiserver/rbac.authorization.k8s.io/v1//ClusterRole/kubelet-api-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kube-apiserver-kubelet-api-admin": { + "resourceID": "rbac.authorization.k8s.io//User/kube-apiserver/rbac.authorization.k8s.io/v1//ClusterRole/kubelet-api-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kube-apiserver-kubelet-api-admin", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-certificate-bootstrap": { + "resourceID": "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-certificate-bootstrap", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-node-bootstrapper": { + "resourceID": "rbac.authorization.k8s.io//User/kubelet-bootstrap/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap-node-bootstrapper", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-bootstrap": { + "resourceID": "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/gce:beta:kubelet-certificate-bootstrap/rbac.authorization.k8s.io/v1//ClusterRoleBinding/gce:beta:kubelet-certificate-bootstrap", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap": { + "resourceID": "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-bootstrapper/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-bootstrap", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-user-npd-binding": { + "resourceID": "rbac.authorization.k8s.io//User/kubelet/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubelet-user-npd-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRole/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:clustermetrics": { + "resourceID": "rbac.authorization.k8s.io//User/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRole/system:clustermetrics/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:clustermetrics", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:glbc": { + "resourceID": "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:glbc", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status": { + "resourceID": "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:glbc": { + "resourceID": "rbac.authorization.k8s.io//User/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/Role/system:controller:glbc/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:controller:glbc", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gcp-controller-manager": { + "resourceID": "rbac.authorization.k8s.io//User/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:gcp-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gcp-controller-manager", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-common-webhooks": { + "resourceID": "rbac.authorization.k8s.io//User/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-common-webhooks/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-common-webhooks", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-healthcheck": { + "resourceID": "rbac.authorization.k8s.io//User/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-healthcheck/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-healthcheck", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-resourcequota": { + "resourceID": "rbac.authorization.k8s.io//User/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-master-resourcequota/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-master-resourcequota", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:konnectivity-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:konnectivity-server": { + "resourceID": "rbac.authorization.k8s.io//User/system:konnectivity-server/rbac.authorization.k8s.io/v1//ClusterRole/system:auth-delegator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:konnectivity-server", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-controller-manager": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-controller-manager/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-controller-manager", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-controller-manager", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-controller-manager/rbac.authorization.k8s.io/v1/kube-system/Role/system:gke-kcm-ccm-leader-election/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system:gke-kcm-ccm-leader-election", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node-proxier": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-proxy/rbac.authorization.k8s.io/v1//ClusterRole/system:node-proxier/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:node-proxier", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-scheduler": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kube-scheduler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:volume-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:volume-scheduler": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1//ClusterRole/system:volume-scheduler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:volume-scheduler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/extension-apiserver-authentication-reader/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::extension-apiserver-authentication-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler": { + "resourceID": "rbac.authorization.k8s.io//User/system:kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/Role/system::leader-locking-kube-scheduler/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/system::leader-locking-kube-scheduler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kubestore-collector": { + "resourceID": "rbac.authorization.k8s.io//User/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRole/system:kubestore-collector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:kubestore-collector", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:l7-lb-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status": { + "resourceID": "rbac.authorization.k8s.io//User/system:l7-lb-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:glbc-status/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:glbc-status", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:managed-certificate-controller": { + "resourceID": "rbac.authorization.k8s.io//User/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:managed-certificate-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:managed-certificate-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:master-prom-to-sd-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:master-monitoring-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/master-monitoring-role-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:master-prom-to-sd-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:master-monitoring-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/master-monitoring-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/npd-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRole/system:node-problem-detector/rbac.authorization.k8s.io/v1//ClusterRoleBinding/npd-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-attacher-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-attacher-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-attacher-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-attacher-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-provisioner-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-provisioner-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-provisioner-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-provisioner-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-resizer-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-resizer-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-resizer-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-controller-resizer-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-snapshotter-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-snapshotter-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1//ClusterRole/pdcsi-snapshotter-role/rbac.authorization.k8s.io/v1//ClusterRoleBinding/pdcsi-snapshotter-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1/kube-system/Role/pdcsi-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/pdcsi-leaderelection-binding": { + "resourceID": "rbac.authorization.k8s.io//User/system:pdcsi-controller/rbac.authorization.k8s.io/v1/kube-system/Role/pdcsi-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/pdcsi-leaderelection-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRole/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:resource-tracker": { + "resourceID": "rbac.authorization.k8s.io//User/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRole/system:resource-tracker/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:resource-tracker", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:slo-monitor": { + "resourceID": "rbac.authorization.k8s.io//User/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRole/system:slo-monitor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:slo-monitor", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1//ClusterRole/snapshot-controller-runner/rbac.authorization.k8s.io/v1//ClusterRoleBinding/snapshot-controller-role": { + "resourceID": "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1//ClusterRole/snapshot-controller-runner/rbac.authorization.k8s.io/v1//ClusterRoleBinding/snapshot-controller-role", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1/kube-system/Role/snapshot-controller-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/snapshot-controller-leaderelection": { + "resourceID": "rbac.authorization.k8s.io//User/system:snapshot-controller/rbac.authorization.k8s.io/v1/kube-system/Role/snapshot-controller-leaderelection/rbac.authorization.k8s.io/v1/kube-system/RoleBinding/snapshot-controller-leaderelection", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-migrator-v2": { + "resourceID": "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/cluster-admin/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-migrator-v2", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-system-users-and-groups-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:storageversionmigrator" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "w/exceptions", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-system-users-and-groups-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:storageversionmigrator" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-crd-creator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-crd-creator": { + "resourceID": "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-crd-creator/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-crd-creator", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-initializer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-initializer": { + "resourceID": "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-initializer/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-initializer", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-trigger/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-trigger": { + "resourceID": "rbac.authorization.k8s.io//User/system:storageversionmigrator/rbac.authorization.k8s.io/v1//ClusterRole/storage-version-migration-trigger/rbac.authorization.k8s.io/v1//ClusterRoleBinding/storage-version-migration-trigger", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/ca-cr-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-cr": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/ca-cr-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/ca-cr", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRole/cluster-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/cluster-autoscaler", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/external-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/uas-hpa-external-metrics-reader": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/external-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/uas-hpa-external-metrics-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-hpa-controller": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:horizontal-pod-autoscaler/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-hpa-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-controller": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-controller", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-actor": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-actor/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-actor", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-service-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-service-reader": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-hpa-service-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-hpa-service-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-collection-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-collection-reader": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-collection-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-collection-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + }, + "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-metrics-reader": { + "resourceID": "rbac.authorization.k8s.io/kube-system/User/system:vpa-recommender/rbac.authorization.k8s.io/v1//ClusterRole/system:gke-uas-metrics-reader/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:gke-uas-metrics-reader", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed", + "subStatus": "" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": { + "status": "passed" + }, + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed", + "subStatus": "" + } + ] + } + ] + } + }, + "ResourceSource": {}, + "ResourcesPrioritized": { + "/v1/default/Pod/busybox": { + "resourceID": "/v1/default/Pod/busybox", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-anjaz5mc-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-npwpt86h-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-agnt-nzebiyc1-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-88slq37r-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-ibc869nn-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-crdn-kxxdvkqo-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-4kda68jq-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-5rdzp9ym-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2": { + "resourceID": "/v1/default/Pod/example-simple-cluster-no-tls-prmr-ndlskuaa-2133a2", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 176.00000000000003, + "severity": 3 + }, + "apps/v1/backstage/Deployment/backstage-backend": { + "resourceID": "apps/v1/backstage/Deployment/backstage-backend", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/backstage/Deployment/backstage-frontend": { + "resourceID": "apps/v1/backstage/Deployment/backstage-frontend", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/backstage/Deployment/backstage-lighthouse": { + "resourceID": "apps/v1/backstage/Deployment/backstage-lighthouse", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/backstage/StatefulSet/backstage-postgresql": { + "resourceID": "apps/v1/backstage/StatefulSet/backstage-postgresql", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/castai-agent/Deployment/castai-agent-cpvpa": { + "resourceID": "apps/v1/castai-agent/Deployment/castai-agent-cpvpa", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 39.6, + "severity": 2 + } + ], + "score": 47.300000000000004, + "severity": 3 + }, + "apps/v1/cert-manager/Deployment/cert-manager": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 136.4, + "severity": 3 + }, + "apps/v1/cert-manager/Deployment/cert-manager-cainjector": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager-cainjector", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 136.4, + "severity": 3 + }, + "apps/v1/cert-manager/Deployment/cert-manager-webhook": { + "resourceID": "apps/v1/cert-manager/Deployment/cert-manager-webhook", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 136.4, + "severity": 3 + }, + "apps/v1/default/Deployment/arango-deployment-operator": { + "resourceID": "apps/v1/default/Deployment/arango-deployment-operator", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 8.4, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 43.199999999999996, + "severity": 2 + } + ], + "score": 51.599999999999994, + "severity": 3 + }, + "apps/v1/default/Deployment/arango-storage-operator": { + "resourceID": "apps/v1/default/Deployment/arango-storage-operator", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 8.4, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 43.199999999999996, + "severity": 2 + } + ], + "score": 51.599999999999994, + "severity": 3 + }, + "apps/v1/default/Deployment/nginx-deployment": { + "resourceID": "apps/v1/default/Deployment/nginx-deployment", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 9.1, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 23.400000000000002, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 15.600000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 23.400000000000002, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 140.4, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 11.700000000000001, + "severity": 1 + } + ], + "score": 223.6, + "severity": 3 + }, + "apps/v1/groundcover/DaemonSet/alligator": { + "resourceID": "apps/v1/groundcover/DaemonSet/alligator", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0038", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 23.1, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0046", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 23.1, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0057", + "category": "Privilege escalation", + "tags": [ + "security" + ] + } + ], + "score": 26.400000000000002, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 254.10000000000002, + "severity": 3 + }, + "apps/v1/groundcover/Deployment/grafana": { + "resourceID": "apps/v1/groundcover/Deployment/grafana", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/Deployment/groundcover-promscale": { + "resourceID": "apps/v1/groundcover/Deployment/groundcover-promscale", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent": { + "resourceID": "apps/v1/groundcover/Deployment/groundcover-victoria-metrics-agent", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/Deployment/k8s-watcher": { + "resourceID": "apps/v1/groundcover/Deployment/k8s-watcher", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/Deployment/portal": { + "resourceID": "apps/v1/groundcover/Deployment/portal", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/Deployment/shepherd": { + "resourceID": "apps/v1/groundcover/Deployment/shepherd", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-groundcover-loki", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-groundcover-tsdb", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 149.60000000000002, + "severity": 3 + }, + "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics": { + "resourceID": "apps/v1/groundcover/StatefulSet/groundcover-victoria-metrics", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 181.50000000000003, + "severity": 2 + }, + "apps/v1/harbor/Deployment/harbor-chartmuseum": { + "resourceID": "apps/v1/harbor/Deployment/harbor-chartmuseum", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-core": { + "resourceID": "apps/v1/harbor/Deployment/harbor-core", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-jobservice": { + "resourceID": "apps/v1/harbor/Deployment/harbor-jobservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-notary-server": { + "resourceID": "apps/v1/harbor/Deployment/harbor-notary-server", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-notary-signer": { + "resourceID": "apps/v1/harbor/Deployment/harbor-notary-signer", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-portal": { + "resourceID": "apps/v1/harbor/Deployment/harbor-portal", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/Deployment/harbor-registry": { + "resourceID": "apps/v1/harbor/Deployment/harbor-registry", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/StatefulSet/harbor-database": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-database", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/StatefulSet/harbor-redis": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-redis", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "apps/v1/harbor/StatefulSet/harbor-trivy": { + "resourceID": "apps/v1/harbor/StatefulSet/harbor-trivy", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 23.1, + "severity": 2 + }, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16": { + "resourceID": "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-16", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest": { + "resourceID": "apps/v1/test-vlun-ubuntu/Deployment/ubuntu-latest", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Credential access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0034", + "category": "Impact - K8s API access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 118.80000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 189.20000000000002, + "severity": 3 + }, + "batch/v1/kubescape/CronJob/kubescape-scheduler": { + "resourceID": "batch/v1/kubescape/CronJob/kubescape-scheduler", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + }, + "batch/v1/kubescape/CronJob/kubevuln-scheduler": { + "resourceID": "batch/v1/kubescape/CronJob/kubevuln-scheduler", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0009", + "category": "Impact - service destruction", + "tags": [ + "security" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 13.200000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 19.8, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 9.9, + "severity": 1 + } + ], + "score": 70.4, + "severity": 3 + } + }, + "ResourceAttackTracks": {}, + "AttackTracks": null, + "Report": { + "generationTime": "2023-03-06T15:44:44.930707522Z", + "metadata": { + "targetMetadata": {}, + "clusterMetadata": {}, + "scanMetadata": {} + }, + "clusterAPIServerInfo": { + "major": "1", + "minor": "24", + "gitVersion": "v1.24.9-gke.3200", + "gitCommit": "92ea556d4e7418d0e7b5db1ee576a73f8fc47e91", + "gitTreeState": "clean", + "buildDate": "2023-01-20T09:29:29Z", + "goVersion": "go1.18.9b7", + "compiler": "gc", + "platform": "linux/amd64" + }, + "customerGUID": "", + "clusterName": "", + "clusterCloudProvider": "GKE", + "reportGUID": "", + "jobID": "", + "attributes": null, + "summaryDetails": { + "controls": { + "C-0002": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 151, + "failedResources": 2, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 2 + }, + "score": 1.3071896, + "scoreFactor": 5 + }, + "C-0005": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0005", + "name": "API server insecure port is enabled", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0009": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 33, + "failedResources": 36, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 18 + }, + "score": 50.559006, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 134, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 32, + "failedResources": 37, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 14 + }, + "score": 48.81987, + "scoreFactor": 6 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 39, + "failedResources": 37, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 14 + }, + "score": 44.914284, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 27, + "failedResources": 42, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 23 + }, + "score": 55.03105, + "scoreFactor": 3 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 24, + "failedResources": 45, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 24 + }, + "score": 61.739136, + "scoreFactor": 6 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 84, + "failedResources": 59, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 64 + }, + "score": 41.229774, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 151, + "failedResources": 2, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 2 + }, + "score": 1.3071896, + "scoreFactor": 6 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 1 + }, + "score": 1.242236, + "scoreFactor": 7 + }, + "C-0041": { + "statusInfo": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 69, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 11 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0044": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 69, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0046": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 1.242236, + "scoreFactor": 7 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 4, + "failedResources": 9, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 4 + }, + "score": 69.23077, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 39, + "failedResources": 30, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 16 + }, + "score": 40.12422, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 11 + }, + "score": 1.242236, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0066": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 9 + } + }, + "status": "failed", + "frameworks": [ + { + "controls": { + "C-0002": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 151, + "failedResources": 2, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 2 + }, + "score": 1.3071896, + "scoreFactor": 5 + }, + "C-0005": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0005", + "name": "API server insecure port is enabled", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0009": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 33, + "failedResources": 36, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 18 + }, + "score": 50.559006, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "skipped", + "subStatus": "configuration", + "info": "Control configurations are empty" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 134, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 32, + "failedResources": 37, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 14 + }, + "score": 48.81987, + "scoreFactor": 6 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 39, + "failedResources": 37, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 14 + }, + "score": 44.914284, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 27, + "failedResources": 42, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 23 + }, + "score": 55.03105, + "scoreFactor": 3 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 24, + "failedResources": 45, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 24 + }, + "score": 61.739136, + "scoreFactor": 6 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 84, + "failedResources": 59, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 64 + }, + "score": 41.229774, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 151, + "failedResources": 2, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 2 + }, + "score": 1.3071896, + "scoreFactor": 6 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 1 + }, + "score": 1.242236, + "scoreFactor": 7 + }, + "C-0041": { + "statusInfo": { + "status": "passed", + "subStatus": "w/exceptions" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 69, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 11 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0044": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 69, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0046": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 1.242236, + "scoreFactor": 7 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 4, + "failedResources": 9, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 4 + }, + "score": 69.23077, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 39, + "failedResources": 30, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 16 + }, + "score": 40.12422, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 68, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 11 + }, + "score": 1.242236, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "passed", + "subStatus": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0066": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 100, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "skipped", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "skippedResources": 0, + "excludedResources": 0 + }, + "subStatusCounters": { + "ignoredResources": 0 + }, + "score": 0, + "scoreFactor": 9 + } + }, + "name": "NSA", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 210, + "failedResources": 83, + "skippedResources": 89, + "excludedResources": 0 + }, + "score": 19.654322 + } + ], + "resourcesSeverityCounters": { + "criticalSeverity": 0, + "highSeverity": 39, + "mediumSeverity": 223, + "lowSeverity": 43 + }, + "controlsSeverityCounters": { + "criticalSeverity": 0, + "highSeverity": 4, + "mediumSeverity": 10, + "lowSeverity": 2 + }, + "ResourceCounters": { + "passedResources": 210, + "failedResources": 83, + "skippedResources": 89, + "excludedResources": 0 + }, + "score": 19.654322 + }, + "paginationInfo": { + "chunkNumber": 0, + "isLastChunk": false + } + }, + "RegoInputData": { + "postureControlInputs": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [], + "imageRepositoryAllowList": [], + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL" + ], + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ], + "listOfDangerousArtifacts": [ + "bin/bash", + "sbin/sh", + "bin/ksh", + "bin/tcsh", + "bin/zsh", + "usr/bin/scsh", + "bin/csh", + "bin/busybox", + "usr/bin/busybox" + ], + "listOfDangerousArtifcats": [ + "bin/bash", + "sbin/sh", + "bin/ksh", + "bin/tcsh", + "bin/zsh", + "usr/bin/scsh", + "bin/csh", + "bin/busybox", + "usr/bin/busybox" + ], + "max_critical_vulnerabilities": [ + "5" + ], + "max_high_vulnerabilities": [ + "10" + ], + "memory_limit_max": [ + "2Mi" + ], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [], + "publicRegistries": [], + "recommendedLabels": [ + "tier", + "phase", + "version", + "owner", + "env" + ], + "sensitiveInterfaces": [ + "nifi", + "argo-server", + "weave-scope-app", + "kubeflow", + "kubernetes-dashboard" + ], + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValues": [ + "BEGIN \\w+ PRIVATE KEY", + "PRIVATE KEY", + "eyJhbGciO", + "JWT", + "Bearer", + "secret_access" + ], + "sensitiveValuesAllowed": [], + "servicesNames": [ + "nifi-service", + "argo-server", + "minio", + "postgres", + "workflow-controller-metrics", + "weave-scope-app", + "kubernetes-dashboard" + ], + "trustedCosignPublicKeys": [], + "untrustedRegistries": [], + "wlKnownNames": [ + "coredns", + "kube-proxy", + "event-exporter-gke", + "kube-dns", + "17-default-backend", + "metrics-server", + "ca-audit", + "ca-dashboard-aggregator", + "ca-notification-server", + "ca-ocimage", + "ca-oracle", + "ca-posture", + "ca-rbac", + "ca-vuln-scan", + "ca-webhook", + "ca-websocket", + "clair-clair" + ] + }, + "dataControlInputs": null + }, + "Metadata": { + "targetMetadata": { + "clusterContextMetadata": { + "namespaceToNumberOfResources": { + "backstage": 11, + "castai-agent": 7, + "cert-manager": 11, + "default": 18, + "groundcover": 49, + "harbor": 19, + "kube-node-lease": 2, + "kube-public": 4, + "kube-system": 101, + "kubescape": 22, + "systest-ns-p7rn": 2, + "test-vlun-ubuntu": 4 + }, + "cloudMetadata": { + "cloudProvider": "GKE", + "shortName": "cluster-mock", + "fullName": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "prefixName": "gke_elated-pottery-310110_us-central1-c" + }, + "cloudProvider": "gke", + "contextName": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "numberOfWorkerNodes": 7 + } + }, + "clusterMetadata": { + "cloudMetadata": { + "cloudProvider": "GKE", + "shortName": "cluster-mock", + "fullName": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "prefixName": "gke_elated-pottery-310110_us-central1-c" + } + }, + "scanMetadata": { + "targetType": "Framework", + "formatVersion": "v2", + "formats": [ + "" + ], + "targetNames": [ + "nsa" + ], + "failThreshold": 100, + "submit": true + } + }, + "InfoMap": { + "hostdata.kubescape.cloud/v1beta0/KubeletCommandLine": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "hostdata.kubescape.cloud/v1beta0/KubeletConfiguration": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + }, + "hostdata.kubescape.cloud/v1beta0/KubeletInfo": { + "status": "skipped", + "info": "enable-host-scan flag not used. For more information: https://hub.armosec.io/docs/host-sensor" + } + }, + "ResourceToControlsMap": { + "container.googleapis.com/v1/ClusterDescribe": [ + "C-0066", + "C-0067", + "C-0068" + ], + "eks.amazonaws.com/v1/ClusterDescribe": [ + "C-0066", + "C-0067", + "C-0068" + ], + "hostdata.kubescape.cloud/v1beta0/KubeletCommandLine": [ + "C-0070" + ], + "hostdata.kubescape.cloud/v1beta0/KubeletConfiguration": [ + "C-0070" + ], + "hostdata.kubescape.cloud/v1beta0/KubeletInfo": [ + "C-0069" + ], + "management.azure.com/v1/ClusterDescribe": [ + "C-0066", + "C-0067", + "C-0068" + ] + }, + "SessionID": "207c249d-c64d-4250-9562-7ba009e846c8", + "Policies": [ + { + "guid": "", + "name": "NSA", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "description": "Implement NSA security advices for K8s ", + "controls": [ + { + "guid": "", + "name": "Exec into container", + "attributes": { + "armoBuiltin": true, + "controlTypeTags": [ + "compliance", + "security-impact" + ], + "microsoftMitreColumns": [ + "Execution" + ], + "rbacQuery": "Show who can access into pods" + }, + "controlID": "C-0002", + "creationTime": "", + "description": "Attackers with relevant permissions can run malicious commands in the context of legitimate containers in the cluster using “kubectl exec” command. This control determines which subjects have permissions to use this command.", + "remediation": "It is recommended to prohibit “kubectl exec” command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", + "rules": [ + { + "guid": "", + "name": "exec-into-container-v1", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::Exec into container", + "resourcesAggregator": "subject-role-rolebinding", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# input: regoResponseVectorObject\n# returns subjects that can exec into container\n\ndeny[msga] {\n\tsubjectVector := input[_]\n\trole := subjectVector.relatedObjects[i]\n\trolebinding := subjectVector.relatedObjects[j]\n\tendswith(role.kind, \"Role\")\n\tendswith(rolebinding.kind, \"Binding\")\n\n\trule := role.rules[p]\n\n\tsubject := rolebinding.subjects[k]\n\tis_same_subjects(subjectVector, subject)\n\n\trule_path := sprintf(\"relatedObjects[%d].rules[%d]\", [i, p])\n\n\tverbs := [\"create\", \"*\"]\n\tverb_path := [sprintf(\"%s.verbs[%d]\", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]\n\tcount(verb_path) \u003e 0\n\n\tapi_groups := [\"\", \"*\"]\n\tapi_groups_path := [sprintf(\"%s.apiGroups[%d]\", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]\n\tcount(api_groups_path) \u003e 0\n\n\tresources := [\"pods/exec\", \"pods/*\", \"*\"]\n\tresources_path := [sprintf(\"%s.resources[%d]\", [rule_path, l]) | resource = rule.resources[l]; resource in resources]\n\tcount(resources_path) \u003e 0\n\n\tpath := array.concat(resources_path, verb_path)\n\tpath2 := array.concat(path, api_groups_path)\n\tfinalpath := array.concat(path2, [\n\t\tsprintf(\"relatedObjects[%d].subjects[%d]\", [j, k]),\n\t\tsprintf(\"relatedObjects[%d].roleRef.name\", [j]),\n\t])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Subject: %s-%s can exec into containers\", [subjectVector.kind, subjectVector.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": finalpath,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": subjectVector,\n\t\t},\n\t}\n}\n\n# for service accounts\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.namespace == subject.namespace\n}\n\n# for users/ groups\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.apiGroup == subject.apiGroup\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines which users have permissions to exec into pods", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 5 + }, + { + "guid": "", + "name": "API server insecure port is enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0005", + "creationTime": "", + "description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.", + "remediation": "Set the insecure-port flag of the API server to zero.", + "rules": [ + { + "guid": "", + "name": "insecure-port-flag", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.cautils as cautils\n\n# Fails if pod has insecure-port flag enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontains(pod.metadata.name, \"kube-apiserver\")\n container := pod.spec.containers[i]\n\tpath = is_insecure_port_flag(container, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"The API server container: %v has insecure-port flag enabled\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\t\nis_insecure_port_flag(container, i) = path {\n\tcommand := container.command[j]\n\tcontains(command, \"--insecure-port=1\")\n\tpath := sprintf(\"spec.containers[%v].command[%v]\", [format_int(i, 10), format_int(j, 10)])\n}", + "resourceEnumerator": "package armo_builtins\nimport data.cautils as cautils\n\n# Fails if pod has insecure-port flag enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontains(pod.metadata.name, \"kube-apiserver\")\n container := pod.spec.containers[_]\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"The API server container: %v has insecure-port flag enabled\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [\"\"],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if the api server has insecure-port enabled", + "remediation": "Make sure that the insecure-port flag of the api server is set to 0", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 9 + }, + { + "guid": "", + "name": "Resource limits", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Impact - service destruction" + ] + } + ], + "controlTypeTags": [ + "security" + ] + }, + "controlID": "C-0009", + "creationTime": "", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "rules": [ + { + "guid": "", + "name": "resource-policies", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if container has limits\ndeny[msga] {\n \tpods := [pod | pod = input[_]; pod.kind == \"Pod\"]\n pod := pods[_]\n\tcontainer := pod.spec.containers[i]\n\t\n\t\n\tbeggining_of_path := \"spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Check if container has limits - for workloads\n# If there is no limits specified in the workload, we check the namespace, since if limits are only specified for namespace\n# and not in workload, it won't be on the yaml\ndeny[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\t\n\tbeggining_of_path\t:= \"spec.template.spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\t\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n\t\n}\n\n# Check if container has limits - for cronjobs\n# If there is no limits specified in the cronjob, we check the namespace, since if limits are only specified for namespace\n# and not in cronjob, it won't be on the yaml\ndeny [msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\t\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tfixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i)\n\t\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"there are no cpu and memory limits defined for container : %v\", [container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixPath,\n\t\t\"failedPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# no limits at all\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tnot container.resources.limits\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}, {\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}\n\n# only memory limit\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.cpu\n\tcontainer.resources.limits.memory\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}\n\n# only cpu limit\nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) =fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.memory\n\tcontainer.resources.limits.cpu\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n\tfailed_path = \"\"\n}\n# limits but without capu and memory \nis_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath {\n\tcontainer.resources.limits\n\tnot container.resources.limits.memory\n\tnot container.resources.limits.cpu\n\tfixPath = [{\"path\": sprintf(\"%vcontainers[%v].resources.limits.cpu\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}, {\"path\": sprintf(\"%vcontainers[%v].resources.limits.memory\", [beggining_of_path, format_int(i, 10)]), \"value\":\"YOUR_VALUE\"}]\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if namespace has no resource policies defined", + "remediation": "Make sure that you definy resource policies (LimitRange or ResourceQuota) which limit the usage of resources for all the namespaces", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + { + "guid": "", + "name": "Applications credentials in configuration files", + "attributes": { + "actionRequired": "configuration", + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Credential access" + ] + }, + { + "attackTrack": "container", + "categories": [ + "Credential access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance", + "security-impact" + ], + "microsoftMitreColumns": [ + "Credential access", + "Lateral Movement" + ] + }, + "controlID": "C-0012", + "creationTime": "", + "description": "Attackers who have access to configuration files can steal the stored secrets and use them. This control checks if ConfigMaps or pod specifications have sensitive information in their configuration.", + "remediation": "Use Kubernetes secrets or Key Management Systems to store credentials.", + "rules": [ + { + "guid": "", + "name": "rule-credentials-in-env-var", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" + }, + "creationTime": "", + "rule": "\tpackage armo_builtins\n\t# import data.cautils as cautils\n\t# import data.kubernetes.api.client as client\n\timport data\n\n\tdeny[msga] {\n\t\tpod := input[_]\n\t\tpod.kind == \"Pod\"\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := pod.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\n\t\tis_not_reference(env)\n\n\t\tpath := sprintf(\"spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"Pod: %v has sensitive information in environment variables\", [pod.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [pod]\n\t\t\t}\n\t\t}\n\t}\n\n\tdeny[msga] {\n\t\twl := input[_]\n\t\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\t\tspec_template_spec_patterns[wl.kind]\n\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := wl.spec.template.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\n\t\tis_not_reference(env)\n\n\t\tpath := sprintf(\"spec.template.spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\t\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"%v: %v has sensitive information in environment variables\", [wl.kind, wl.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [wl]\n\t\t\t}\n\t\t}\n\t}\n\n\tdeny[msga] {\n\t\twl := input[_]\n\t\twl.kind == \"CronJob\"\n\t\t# see default-config-inputs.json for list values\n\t\tsensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n\t\tkey_name := sensitive_key_names[_]\n\t\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\t\tenv := container.env[j]\n\n\t\tcontains(lower(env.name), key_name)\n\n\t\tenv.value != \"\"\n\t\t# check that value wasn't allowed by user\n\t\tnot is_allowed_value(env.value) \n\t\t\n\t\tis_not_reference(env)\n\t\t\n\t\tpath := sprintf(\"spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name\", [format_int(i, 10), format_int(j, 10)])\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"Cronjob: %v has sensitive information in environment variables\", [wl.metadata.name]),\n\t\t\t\"alertScore\": 9,\n\t\t\t\"fixPaths\": [],\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [wl]\n\t\t\t}\n\t\t}\n\t}\n\n\n\nis_not_reference(env)\n{\n\tnot env.valueFrom.secretKeyRef\n\tnot env.valueFrom.configMapKeyRef\n}\n\nis_allowed_value(value) {\n allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]\n value == allow_val\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.sensitiveKeyNames", + "settings.postureControlInputs.sensitiveValuesAllowed" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.sensitiveKeyNames", + "name": "Keys", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "AllowedValues", + "description": "Allowed values" + } + ], + "description": "fails if Pods have sensitive information in configuration", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + }, + { + "guid": "", + "name": "rule-credentials-configmap", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Credential access::Applications credentials in configuration files, Lateral Movement::Applications credentials in configuration files" + }, + "creationTime": "", + "rule": "package armo_builtins\n# import data.cautils as cautils\n# import data.kubernetes.api.client as client\nimport data\n\n# fails if config map has keys with suspicious name\ndeny[msga] {\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n # see default-config-inputs.json for list values\n sensitive_key_names := data.postureControlInputs.sensitiveKeyNames\n key_name := sensitive_key_names[_]\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n \n contains(lower(map_key), lower(key_name))\n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n \n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n# fails if config map has values with suspicious content - not base 64\ndeny[msga] {\n # see default-config-inputs.json for list values\n sensitive_values := data.postureControlInputs.sensitiveValues\n value := sensitive_values[_]\n\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n\n regex.match(value , map_secret)\n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n\n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n# fails if config map has values with suspicious content - base 64\ndeny[msga] {\n # see default-config-inputs.json for list values\n sensitive_values := data.postureControlInputs.sensitiveValues\n value := sensitive_values[_]\n\n\tconfigmap := input[_]\n configmap.kind == \"ConfigMap\"\n map_secret := configmap.data[map_key]\n map_secret != \"\"\n\n decoded_secret := base64.decode(map_secret)\n \n # check that value wasn't allowed by user\n not is_allowed_value(map_secret)\n\n regex.match(value , decoded_secret)\n\n path := sprintf(\"data[%v]\", [map_key])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"this configmap has sensitive information: %v\", [configmap.metadata.name]),\n\t\t\"alertScore\": 9,\n \"failedPaths\": [path],\n \"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [configmap]\n\t\t}\n }\n}\n\n\nis_allowed_value(value) {\n allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]\n value == allow_val\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "ConfigMap" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.sensitiveValues", + "settings.postureControlInputs.sensitiveKeyNames", + "settings.postureControlInputs.sensitiveValuesAllowed" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.sensitiveValues", + "name": "Values", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Below you can find some examples of popular value phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveKeyNames", + "name": "Keys", + "description": "Secrets are stored as a key/value pair. The names of the keys/values may change from one company to the other. Here you can find some examples of popular key phrases that Kubescape is searching for" + }, + { + "path": "settings.postureControlInputs.sensitiveValuesAllowed", + "name": "AllowedValues", + "description": "Allowed values" + } + ], + "description": "fails if ConfigMaps have sensitive information in configuration", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 8 + }, + { + "guid": "", + "name": "Non-root containers", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0013", + "creationTime": "", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", + "rules": [ + { + "guid": "", + "name": "non-root-containers", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n################################################################################\n# Rules\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\n\tbeggining_of_path := \"spec\"\n\talertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v may run as root\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\n\tbeggining_of_path := \"spec.template.spec\"\n\talertInfo := evaluate_workload_non_root_container(container, wl.spec.template, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v may run as root\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has a container configured to run as root\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec\"\n\talertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, beggining_of_path)\n\tfixPath := get_fixed_path(alertInfo, i)\n failed_path := get_failed_path(alertInfo, i) \n\t\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v may run as root\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n \"fixPaths\": fixPath,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nget_failed_path(alertInfo, i) = [replace(alertInfo.failed_path,\"container_ndx\",format_int(i,10))] {\n\talertInfo.failed_path != \"\"\n} else = []\n\n\nget_fixed_path(alertInfo, i) = [{\"path\":replace(alertInfo.fixPath[0].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[0].value}, {\"path\":replace(alertInfo.fixPath[1].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[1].value}]{\n\tcount(alertInfo.fixPath) == 2\n} else = [{\"path\":replace(alertInfo.fixPath[0].path,\"container_ndx\",format_int(i,10)), \"value\":alertInfo.fixPath[0].value}] {\n\tcount(alertInfo.fixPath) == 1\n} else = []\n\n#################################################################################\n# Workload evaluation \n\nevaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo {\n\trunAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path)\n\trunAsNonRootValue.value == false\n\t\n\trunAsUserValue := get_run_as_user_value(container, pod, beggining_of_path)\n\trunAsUserValue.value == 0\n\n\talertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)\n} else = alertInfo {\n allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path)\n allowPrivilegeEscalationValue.value == true\n\n alertInfo := allowPrivilegeEscalationValue\n}\n\n\n#################################################################################\n# Value resolution functions\n\n\nget_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot {\n failed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]) \n runAsNonRoot := {\"value\" : container.securityContext.runAsNonRoot, \"failed_path\" : failed_path, \"fixPath\": [] ,\"defined\" : true}\n} else = runAsNonRoot {\n\tfailed_path := sprintf(\"%v.securityContext.runAsNonRoot\", [beggining_of_path]) \n runAsNonRoot := {\"value\" : pod.spec.securityContext.runAsNonRoot, \"failed_path\" : failed_path, \"fixPath\": [], \"defined\" : true}\n} else = {\"value\" : false, \"failed_path\" : \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}], \"defined\" : false} {\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : false, \"failed_path\" : \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]) , \"value\":\"true\"}, {\"path\":sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}], \"defined\" : false}\n\nget_run_as_user_value(container, pod, beggining_of_path) = runAsUser {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsUser\", [beggining_of_path]) \n runAsUser := {\"value\" : container.securityContext.runAsUser, \"failed_path\" : failed_path, \"fixPath\": [], \"defined\" : true}\n} else = runAsUser {\n\tfailed_path := sprintf(\"%v.securityContext.runAsUser\", [beggining_of_path]) \n runAsUser := {\"value\" : pod.spec.securityContext.runAsUser, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = {\"value\" : 0, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}],\"defined\" : false}{\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : 0, \"failed_path\": \"\", \n\t\"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"},{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}],\n\t\"defined\" : false}\n\nget_run_as_group_value(container, pod, beggining_of_path) = runAsGroup {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.runAsGroup\", [beggining_of_path])\n runAsGroup := {\"value\" : container.securityContext.runAsGroup, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = runAsGroup {\n\tfailed_path := sprintf(\"%v.securityContext.runAsGroup\", [beggining_of_path])\n runAsGroup := {\"value\" : pod.spec.securityContext.runAsGroup, \"failed_path\" : failed_path, \"fixPath\":[], \"defined\" : true}\n} else = {\"value\" : 0, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"}], \"defined\" : false}{\n\tis_allow_privilege_escalation_field(container, pod)\n} else = {\"value\" : 0, \"failed_path\": \"\", \n\t\"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.runAsNonRoot\", [beggining_of_path]), \"value\":\"true\"},{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}],\n \t\"defined\" : false\n}\n\nget_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation {\n\tfailed_path := sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path])\n allowPrivilegeEscalation := {\"value\" : container.securityContext.allowPrivilegeEscalation, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = allowPrivilegeEscalation {\n\tfailed_path := sprintf(\"%v.securityContext.allowPrivilegeEscalation\", [beggining_of_path])\n allowPrivilegeEscalation := {\"value\" : pod.spec.securityContext.allowPrivilegeEscalation, \"failed_path\" : failed_path, \"fixPath\": [],\"defined\" : true}\n} else = {\"value\" : true, \"failed_path\": \"\", \"fixPath\": [{\"path\": sprintf(\"%v.containers[container_ndx].securityContext.allowPrivilegeEscalation\", [beggining_of_path]), \"value\":\"false\"}], \"defined\" : false}\n\nchoose_first_if_defined(l1, l2) = c {\n l1.defined\n c := l1\n} else = l2\n\n\nis_allow_privilege_escalation_field(container, pod) {\n\tcontainer.securityContext.allowPrivilegeEscalation == false\n}\n\nis_allow_privilege_escalation_field(container, pod) {\n\tpod.spec.securityContext.allowPrivilegeEscalation == false\n}\n\n\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container can run as root", + "remediation": "Make sure that the user/group in the securityContext of pod/container is set to an id less than 1000, or the runAsNonRoot flag is set to true. Also make sure that the allowPrivilegeEscalation field is set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Allow privilege escalation", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0016", + "creationTime": "", + "description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.", + "remediation": "If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.", + "rules": [ + { + "guid": "", + "name": "rule-allow-privilege-escalation", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has container that allow privilege escalation\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v allow privilege escalation\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has a container that allow privilege escalation\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v allow privilege escalation\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has a container that allow privilege escalation\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tresult := is_allow_privilege_escalation_container(container, i, beggining_of_path)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v allow privilege escalation\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n not container.securityContext.allowPrivilegeEscalation == false\n\tnot container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) == 0\n\tfailed_path = \"\"\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)]), \"value\":\"false\"} \n}\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n not container.securityContext.allowPrivilegeEscalation == false\n\tnot container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) \u003e 0\n\tpsp := psps[_]\n\tnot psp.spec.allowPrivilegeEscalation == false\n\tfailed_path = \"\"\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)]), \"value\":\"false\"} \n}\n\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] {\n container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) == 0\n\tfixPath = \"\"\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)])\n}\n\nis_allow_privilege_escalation_container(container, i, beggining_of_path)= [failed_path, fixPath] {\n container.securityContext.allowPrivilegeEscalation == true\n\tpsps := [psp | psp= input[_]; psp.kind == \"PodSecurityPolicy\"]\n\tcount(psps) \u003e 0\n\tpsp := psps[_]\n\tnot psp.spec.allowPrivilegeEscalation == false\n\tfixPath = \"\"\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.allowPrivilegeEscalation\", [beggining_of_path, format_int(i, 10)])\n}\n\n get_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "policy" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "PodSecurityPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container allows privilege escalation", + "remediation": "Make sure that the allowPrivilegeEscalation field in the securityContext of pod/container is set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Immutable container filesystem", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Execution", + "Persistence" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0017", + "creationTime": "", + "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", + "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "rules": [ + { + "guid": "", + "name": "immutable-container-filesystem", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pods has container with mutable filesystem\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v has mutable filesystem\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has container with mutable filesystem \ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v has mutable filesystem\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has container with mutable filesystem \ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tresult := is_mutable_filesystem(container, beggining_of_path, i)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container :%v in %v: %v has mutable filesystem\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": failed_path,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec\nis_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] {\n\tcontainer.securityContext.readOnlyRootFilesystem == false\n\tfailed_path = sprintf(\"%vcontainers[%v].securityContext.readOnlyRootFilesystem\", [beggining_of_path, format_int(i, 10)])\n\tfixPath = \"\"\n }\n\n is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] {\n\tnot container.securityContext.readOnlyRootFilesystem == false\n not container.securityContext.readOnlyRootFilesystem == true\n\tfixPath = {\"path\": sprintf(\"%vcontainers[%v].securityContext.readOnlyRootFilesystem\", [beggining_of_path, format_int(i, 10)]), \"value\": \"true\"}\n\tfailed_path = \"\"\n }\n\n\n get_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container has mutable filesystem", + "remediation": "Make sure that the securityContext.readOnlyRootFilesystem field in the container/pod spec is set to true", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 3 + }, + { + "guid": "", + "name": "Ingress and Egress blocked", + "attributes": { + "armoBuiltin": true, + "controlTypeTags": [ + "compliance" + ] + }, + "controlID": "C-0030", + "creationTime": "", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "remediation": "Define a network policy that restricts ingress and egress connections.", + "rules": [ + { + "guid": "", + "name": "ingress-and-egress-blocked", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# For pods\ndeny[msga] {\n \t\tpods := [pod | pod= input[_]; pod.kind == \"Pod\"]\n\t\tnetworkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\t\tpod := pods[_]\n\t\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; pod_connected_to_network_policy(pod, networkpolicie)]\n\t\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\t\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v does not have ingress/egress defined\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n\n}\n\n# For pods\ndeny[msga] {\n \t\tpods := [pod | pod= input[_]; pod.kind == \"Pod\"]\n\t\tnetworkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\t\tpod := pods[_]\n\t\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; pod_connected_to_network_policy(pod, networkpolicie)]\n\t\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v does not have ingress/egress defined\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n\n}\n\n# For workloads\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; wlConnectedToNetworkPolicy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# For workloads\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; wlConnectedToNetworkPolicy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# For Cronjobs\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; cronjob_connected_to_network_policy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003e 0\n goodPolicies := [goodpolicie | goodpolicie= network_policies_connected_to_pod[_]; is_ingerss_egress_policy(goodpolicie)]\n\tcount(goodPolicies) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# For Cronjobs\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n networkpolicies := [networkpolicie | networkpolicie= input[_]; networkpolicie.kind == \"NetworkPolicy\"]\n\tnetwork_policies_connected_to_pod := [networkpolicie | networkpolicie= networkpolicies[_]; cronjob_connected_to_network_policy(wl, networkpolicie)]\n\tcount(network_policies_connected_to_pod) \u003c 1\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v has Pods which don't have ingress/egress defined\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tmetadata1.namespace == metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tnot metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata2.namespace\n\tmetadata1.namespace == \"default\"\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tmetadata2.namespace == \"default\"\n}\n\npod_connected_to_network_policy(pod, networkpolicie){\n\tis_same_namespace(networkpolicie.metadata, pod.metadata)\n count(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == pod.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\npod_connected_to_network_policy(pod, networkpolicie){\n\tis_same_namespace(networkpolicie.metadata ,pod.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\nwlConnectedToNetworkPolicy(wl, networkpolicie){\n\tis_same_namespace(wl.metadata , networkpolicie.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\n\nwlConnectedToNetworkPolicy(wl, networkpolicie){\n\tis_same_namespace(wl.metadata, networkpolicie.metadata)\n\tcount(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == wl.spec.template.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\n\ncronjob_connected_to_network_policy(cj, networkpolicie){\n\tis_same_namespace(cj.metadata , networkpolicie.metadata)\n count(networkpolicie.spec.podSelector) == 0\n}\n\ncronjob_connected_to_network_policy(cj, networkpolicie){\n\tis_same_namespace(cj.metadata , networkpolicie.metadata)\n\tcount(networkpolicie.spec.podSelector) \u003e 0\n count({x | networkpolicie.spec.podSelector.matchLabels[x] == cj.spec.jobTemplate.spec.template.metadata.labels[x]}) == count(networkpolicie.spec.podSelector.matchLabels)\n}\n\nis_ingerss_egress_policy(networkpolicie) {\n list_contains(networkpolicie.spec.policyTypes, \"Ingress\")\n list_contains(networkpolicie.spec.policyTypes, \"Egress\")\n }\n\nlist_contains(list, element) {\n some i\n list[i] == element\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "networking.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "NetworkPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if there are no ingress and egress defined for pod", + "remediation": "Make sure you define ingress and egress policies for all your Pods", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Automatic mapping of service account", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Credential access", + "Impact - K8s API access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0034", + "creationTime": "", + "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "rules": [ + { + "guid": "", + "name": "automount-service-account", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# Fails if user account mount tokens in pod by default\ndeny [msga]{\n service_accounts := [service_account | service_account= input[_]; service_account.kind == \"ServiceAccount\"]\n service_account := service_accounts[_]\n result := is_auto_mount(service_account)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t \"alertMessage\": sprintf(\"the following service account: %v in the following namespace: %v mounts service account tokens in pods by default\", [service_account.metadata.name, service_account.metadata.namespace]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [service_account]\n\t\t}\n\t}\n} \n\n\n # -- ---- For workloads -- ---- \n# Fails if pod mount tokens by default (either by its config or by its SA config)\n\n # POD \ndeny [msga]{\n pod := input[_]\n\tpod.kind == \"Pod\"\n\n\tbeggining_of_path := \"spec.\"\n\twl_namespace := pod.metadata.namespace\n\tresult := is_sa_auto_mounted(pod.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t \"alertMessage\": sprintf(\"Pod: %v in the following namespace: %v mounts service account tokens by default\", [pod.metadata.name, pod.metadata.namespace]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n} \n\n# WORKLOADS\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tbeggining_of_path := \"spec.template.spec.\"\n\n\twl_namespace := wl.metadata.namespace\n\tresult := is_sa_auto_mounted(wl.spec.template.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v in the following namespace: %v mounts service account tokens by default\", [wl.kind, wl.metadata.name, wl.metadata.namespace]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# CRONJOB\ndeny[msga] {\n \twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n \n\twl_namespace := wl.metadata.namespace\n\tresult := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, beggining_of_path, wl_namespace)\n\tfailed_path := get_failed_path(result)\n fixed_path := get_fixed_path(result)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v in the following namespace: %v mounts service account tokens by default\", [wl.kind, wl.metadata.name, wl.metadata.namespace]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"fixPaths\": fixed_path,\n\t\t\"failedPaths\": failed_path,\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\n # -- ---- For workloads -- ---- \nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken not in pod spec\n\tnot spec.automountServiceAccountToken == false\n\tnot spec.automountServiceAccountToken == true\n\n\t# check if SA automount by default\n\tsa := input[_]\n\tis_same_sa(spec, sa.metadata.name)\n\tis_same_namespace(sa.metadata.namespace , wl_namespace)\n\tnot sa.automountServiceAccountToken == false\n\n\t# path is pod spec\n\tfix_path = { \"path\": sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path]), \"value\": \"false\"}\n\tfailed_path = \"\"\n}\n\nget_failed_path(paths) = [paths[0]] {\n\tpaths[0] != \"\"\n} else = []\n\n\nget_fixed_path(paths) = [paths[1]] {\n\tpaths[1] != \"\"\n} else = []\n\nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken set to true in pod spec\n\tspec.automountServiceAccountToken == true\n\t\n\t# SA automount by default\n\tservice_accounts := [service_account | service_account = input[_]; service_account.kind == \"ServiceAccount\"]\n\tcount(service_accounts) \u003e 0\n\tsa := service_accounts[_]\n\tis_same_sa(spec, sa.metadata.name)\n\tis_same_namespace(sa.metadata.namespace , wl_namespace)\n\tnot sa.automountServiceAccountToken == false\n\n\tfailed_path = sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path])\n\tfix_path = \"\"\n}\n\nis_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] {\n\t# automountServiceAccountToken set to true in pod spec\n\tspec.automountServiceAccountToken == true\n\t\n\t# No SA (yaml scan)\n\tservice_accounts := [service_account | service_account = input[_]; service_account.kind == \"ServiceAccount\"]\n\tcount(service_accounts) == 0\n\tfailed_path = sprintf(\"%vautomountServiceAccountToken\", [beggining_of_path])\n\tfix_path = \"\"\n}\n\n\n\n # -- ---- For SAs -- ---- \nis_auto_mount(service_account) = [failed_path, fix_path] {\n\tservice_account.automountServiceAccountToken == true\n\tfailed_path = \"automountServiceAccountToken\"\n\tfix_path = \"\"\n}\n\nis_auto_mount(service_account)= [failed_path, fix_path] {\n\tnot service_account.automountServiceAccountToken == false\n\tnot service_account.automountServiceAccountToken == true\n\tfix_path = {\"path\": \"automountServiceAccountToken\", \"value\": \"false\"}\n\tfailed_path = \"\"\n}\n\nis_same_sa(spec, serviceAccountName) {\n\tspec.serviceAccountName == serviceAccountName\n}\n\nis_same_sa(spec, serviceAccountName) {\n\tnot spec.serviceAccountName \n\tserviceAccountName == \"default\"\n}\n\n\nis_same_namespace(metadata1, metadata2) {\n\tmetadata1.namespace == metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tnot metadata2.namespace\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata2.namespace\n\tmetadata1.namespace == \"default\"\n}\n\nis_same_namespace(metadata1, metadata2) {\n\tnot metadata1.namespace\n\tmetadata2.namespace == \"default\"\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "ServiceAccount" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if service account and workloads mount service account token by default", + "remediation": "Make sure that the automountServiceAccountToken field on the service account spec if set to false", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Cluster-admin binding", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Impact - data destruction", + "Impact - service injection" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ], + "microsoftMitreColumns": [ + "Privilege escalation" + ], + "rbacQuery": "Show cluster_admin" + }, + "controlID": "C-0035", + "creationTime": "", + "description": "Attackers who have cluster admin permissions (can perform any action on any resource), can take advantage of their privileges for malicious activities. This control determines which subjects have cluster admin permissions.", + "remediation": "You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use subjects with such high permissions for daily operations.", + "rules": [ + { + "guid": "", + "name": "rule-list-all-cluster-admins-v1", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::Cluster-admin binding", + "resourcesAggregator": "subject-role-rolebinding", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# returns subjects with cluster admin permissions\ndeny[msga] {\n\tsubjectVector := input[_]\n\trole := subjectVector.relatedObjects[i]\n\trolebinding := subjectVector.relatedObjects[j]\n\tendswith(role.kind, \"Role\")\n\tendswith(rolebinding.kind, \"Binding\")\n\n\trule := role.rules[p]\n\tsubject := rolebinding.subjects[k]\n\tis_same_subjects(subjectVector, subject)\n\nis_same_subjects(subjectVector, subject)\n\trule_path := sprintf(\"relatedObjects[%d].rules[%d]\", [i, p])\n\n\tverbs := [\"*\"]\n\tverb_path := [sprintf(\"%s.verbs[%d]\", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]\n\tcount(verb_path) \u003e 0\n\n\tapi_groups := [\"*\", \"\"]\n\tapi_groups_path := [sprintf(\"%s.apiGroups[%d]\", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]\n\tcount(api_groups_path) \u003e 0\n\n\tresources := [\"*\"]\n\tresources_path := [sprintf(\"%s.resources[%d]\", [rule_path, l]) | resource = rule.resources[l]; resource in resources]\n\tcount(resources_path) \u003e 0\n\n\tpath := array.concat(resources_path, verb_path)\n\tpath2 := array.concat(path, api_groups_path)\n\tfinalpath := array.concat(path2, [\n\t\tsprintf(\"relatedObjects[%d].subjects[%d]\", [j, k]),\n\t\tsprintf(\"relatedObjects[%d].roleRef.name\", [j]),\n\t])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Subject: %s-%s have high privileges, such as cluster-admin\", [subjectVector.kind, subjectVector.name]),\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": finalpath,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": subjectVector,\n\t\t},\n\t}\n}\n\n# for service accounts\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.namespace == subject.namespace\n}\n\n# for users/ groups\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.apiGroup == subject.apiGroup\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Role", + "ClusterRole", + "ClusterRoleBinding", + "RoleBinding" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines which users have cluster admin permissions", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Host PID/IPC privileges", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0038", + "creationTime": "", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", + "rules": [ + { + "guid": "", + "name": "host-pid-ipc-privileges", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has hostPID enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tis_host_pid(pod.spec)\n\tpath := \"spec.hostPID\"\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v has hostPID enabled\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if pod has hostIPC enabled\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tis_host_ipc(pod.spec)\n\tpath := \"spec.hostIPC\"\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Pod: %v has hostIPC enabled\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has hostPID enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_pid(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostPID\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod with hostPID enabled\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if workload has hostIPC enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_ipc(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostIPC\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod with hostIPC enabled\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has hostPID enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_pid(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostPID\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod with hostPID enabled\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n# Fails if cronjob has hostIPC enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_ipc(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostIPC\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod with hostIPC enabled\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Check that hostPID and hostIPC are set to false. Default is false. Only in pod spec\n\n\nis_host_pid(podspec){\n podspec.hostPID == true\n}\n\nis_host_ipc(podspec){\n podspec.hostIPC == true\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "Containers should be as isolated as possible from the host machine. The hostPID and hostIPC fields in Kubernetes may excessively expose the host to potentially malicious actions.", + "remediation": "Make sure that the fields hostIPC and hostPID in the pod spec are not set to true (set to false or not present)", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + { + "guid": "", + "name": "HostNetwork access", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Discovery", + "Lateral movement", + "Impact - service access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0041", + "creationTime": "", + "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", + "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "rules": [ + { + "guid": "", + "name": "host-network-access", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# Fails if pod has hostNetwork enabled\ndeny[msga] {\n pods := [ pod | pod = input[_] ; pod.kind == \"Pod\"]\n pod := pods[_]\n\n\tis_host_network(pod.spec)\n\tpath := \"spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"Pod: %v is connected to the host network\", [pod.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has hostNetwork enabled\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tis_host_network(wl.spec.template.spec)\n\tpath := \"spec.template.spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"%v: %v has a pod connected to the host network\", [wl.kind, wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has hostNetwork enabled\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tis_host_network(wl.spec.jobTemplate.spec.template.spec)\n\tpath := \"spec.jobTemplate.spec.template.spec.hostNetwork\"\n msga := {\n\t\"alertMessage\": sprintf(\"CronJob: %v has a pod connected to the host network\", [wl.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\":[],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_host_network(podspec) {\n podspec.hostNetwork == true\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if pod has hostNetwork enabled", + "remediation": "Make sure that the hostNetwork field of the pod spec is not set to true (set to false or not present)", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + { + "guid": "", + "name": "Container hostPort", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance", + "devops" + ] + }, + "controlID": "C-0044", + "creationTime": "", + "description": "Configuring hostPort requires a particular port number. If two objects specify the same HostPort, they could not be deployed to the same node. It may prevent the second object from starting, even if Kubernetes will try reschedule it on another node, provided there are available nodes with sufficient amount of resources. Also, if the number of replicas of such workload is higher than the number of nodes, the deployment will consistently fail.", + "remediation": "Avoid usage of hostPort unless it is absolutely necessary, in which case define appropriate exception. Use NodePort / ClusterIP instead.", + "rules": [ + { + "guid": "", + "name": "container-hostPort", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Fails if pod has container with hostPort\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n container := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n\tpath := is_host_port(container, i, beggining_of_path)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v has Host-port\", [ container.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\n# Fails if workload has container with hostPort\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n path := is_host_port(container, i, beggining_of_path)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v in %v: %v has Host-port\", [ container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n# Fails if cronjob has container with hostPort\ndeny[msga] {\n \twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n path := is_host_port(container, i, beggining_of_path)\n msga := {\n\t\t\"alertMessage\": sprintf(\"Container: %v in %v: %v has Host-port\", [ container.name, wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 4,\n\t\t\"failedPaths\": path,\n\t\t\"fixPaths\":[],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\n\n\nis_host_port(container, i, beggining_of_path) = path {\n\tpath = [sprintf(\"%vcontainers[%v].ports[%v].hostPort\", [beggining_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort]\n\tcount(path) \u003e 0\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container has hostPort", + "remediation": "Make sure you do not configure hostPort for the container, if necessary use NodePort / ClusterIP", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + { + "guid": "", + "name": "Insecure capabilities", + "attributes": { + "actionRequired": "configuration", + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0046", + "creationTime": "", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "remediation": "Remove all insecure capabilities which are not necessary for the container.", + "rules": [ + { + "guid": "", + "name": "insecure-capabilities", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data\nimport data.cautils as cautils\n\ndeny[msga] {\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in pod: %v have dangerous capabilities\", [container.name, pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n\t}\n}\n\ndeny[msga] {\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in workload: %v have dangerous capabilities\", [container.name, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\ndeny[msga] {\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n result := is_dangerous_capabilities(container, beggining_of_path, i)\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"container: %v in cronjob: %v have dangerous capabilities\", [container.name, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": result,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n\t}\n}\n\nis_dangerous_capabilities(container, beggining_of_path, i) = path {\n\t# see default-config-inputs.json for list values\n insecureCapabilities := data.postureControlInputs.insecureCapabilities\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)]\n\tcount(path) \u003e 0\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": [ + "settings.postureControlInputs.insecureCapabilities" + ], + "controlConfigInputs": [ + { + "path": "settings.postureControlInputs.insecureCapabilities", + "name": "Insecure capabilities", + "description": "You can see the list of capabilities in https://man7.org/linux/man-pages/man7/capabilities.7.html. Kubescape looks for the following capabilities in containers which might lead to attackers getting high privileges in your system." + } + ], + "description": "fails if container has insecure capabilities", + "remediation": "Remove all insecure capabilities which aren’t necessary for the container.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 7 + }, + { + "guid": "", + "name": "Cluster internal networking", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Discovery", + "Lateral movement" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ], + "microsoftMitreColumns": [ + "Lateral movement" + ] + }, + "controlID": "C-0054", + "creationTime": "", + "description": "If no network policy is defined, attackers who gain access to a container may use it to move laterally in the cluster. This control lists namespaces in which no network policy is defined.", + "remediation": "Define Kubernetes network policies or use alternative products to protect cluster network.", + "rules": [ + { + "guid": "", + "name": "internal-networking", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Lateral Movement::Container internal networking, Discovery::Network mapping" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n# input: network policies\n# apiversion: networking.k8s.io/v1\n# fails if no network policies are defined in a certain namespace\n\ndeny[msga] {\n\tnamespaces := [namespace | namespace = input[_]; namespace.kind == \"Namespace\"]\n\tnamespace := namespaces[_]\n\tpolicy_names := [policy.metadata.namespace | policy = input[_]; policy.kind == \"NetworkPolicy\"]\n\tnot list_contains(policy_names, namespace.metadata.name)\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"no policy is defined for namespace %v\", [namespace.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [namespace]\n\t\t}\n\t}\n}\n\nlist_contains(list, element) {\n some i\n list[i] == element\n}", + "resourceEnumerator": "package armo_builtins\n\n# input: network policies + namespaces\n# apiversion: networking.k8s.io/v1\n# returns all namespaces\n\ndeny[msga] {\n\tnamespaces := [namespace | namespace = input[_]; namespace.kind == \"Namespace\"]\n\tnamespace := namespaces[_]\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"no policy is defined for namespace %v\", [namespace.metadata.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [\"\"],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [namespace]\n\t\t}\n\t}\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Namespace" + ] + }, + { + "apiGroups": [ + "networking.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "NetworkPolicy" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "lists namespaces in which no network policies are defined", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + { + "guid": "", + "name": "Linux hardening", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0055", + "creationTime": "", + "description": "Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.", + "remediation": "You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.", + "rules": [ + { + "guid": "", + "name": "linux-hardening", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.in\n\n# Fails if pod does not define linux security hardening \ndeny[msga] {\n\tobj := input[_]\n\tfix_paths := is_unsafe_obj(obj)\n\tcount(fix_paths) \u003e 0\n\n\t# final_fix_pathes := array.concat(fix_paths) # -\u003e produce only one failed result\n\tfinal_fix_pathes := fix_paths[_] # -\u003e produce failed result for each container\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"%s: %s does not define any linux security hardening\", [obj.kind, obj.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": final_fix_pathes,\n\t\t\"alertObject\": {\"k8sApiObjects\": [obj]},\n\t}\n}\n\nis_unsafe_obj(obj) := fix_paths {\n\tobj.kind == \"Pod\"\n\tfix_paths := are_unsafe_specs(obj, [\"spec\"], [\"metadata\", \"annotations\"])\n} else := fix_paths {\n\tobj.kind == \"CronJob\"\n\tfix_paths := are_unsafe_specs(obj, [\"spec\", \"jobTemplate\", \"spec\", \"template\", \"spec\"], [\"spec\", \"jobTemplate\", \"spec\", \"template\", \"metadata\", \"annotations\"])\n} else := fix_paths {\n\tobj.kind in [\"Deployment\", \"ReplicaSet\", \"DaemonSet\", \"StatefulSet\", \"Job\"]\n\tfix_paths := are_unsafe_specs(obj, [\"spec\", \"template\", \"spec\"], [\"spec\", \"template\", \"metadata\", \"annotations\"])\n}\n\nare_unsafe_specs(obj, specs_path, anotation_path) := paths {\n\t# spec\n\tspecs := object.get(obj, specs_path, null)\n\tspecs != null\n\tare_seccomp_and_selinux_disabled(specs)\n\n\t# annotation\n\tannotations := object.get(obj, anotation_path, [])\n\tapp_armor_annotations := [annotations[i] | annotation = i; startswith(i, \"container.apparmor.security.beta.kubernetes.io\")]\n\tcount(app_armor_annotations) == 0\n\n\t# container\n\tcontainers_path := array.concat(specs_path, [\"containers\"])\n\tcontainers := object.get(obj, containers_path, [])\n\n\t# Psuedo code explanation:\n\t# for i, container in containers\n\t# \t\tif is_unsafe_container:\n\t# \t\t\tfix_paths += [(containers_path[i] + field) for j, field in fix_fields]\n\t# \n\t# At the end we get [[\u003ccontainer1_path1\u003e, \u003ccontainer1_path2\u003e, ...], ...]\n\tcontainers_fix_path := concat(\".\", containers_path)\n\tfix_fields := [\"seccompProfile\", \"seLinuxOptions\", \"capabilities.drop[0]\"]\n\tpaths := [[{\n\t\t\"path\": sprintf(\"%s[%d].securityContext.%s\", [containers_fix_path, i, field]),\n\t\t\"value\": \"YOUR_VALUE\",\n\t} |\n\t\tfield := fix_fields[j]\n\t] |\n\t\tcontainer = containers[i]\n\t\tis_unsafe_container(container)\n\t]\n\n\tcount(paths) \u003e 0\n}\n\nare_seccomp_and_selinux_disabled(obj) {\n\tnot obj.securityContext.seccompProfile\n\tnot obj.securityContext.seLinuxOptions\n}\n\nis_unsafe_container(container) {\n\tare_seccomp_and_selinux_disabled(container)\n\tnot container.securityContext.capabilities.drop\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "fails if container does not define any linux security hardening", + "remediation": "Make sure you define at least one linux security hardening property out of Seccomp, SELinux or Capabilities.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 4 + }, + { + "guid": "", + "name": "Privileged container", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Privilege escalation" + ] + } + ], + "controlTypeTags": [ + "security" + ], + "microsoftMitreColumns": [ + "Privilege escalation" + ] + }, + "controlID": "C-0057", + "creationTime": "", + "description": "Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary. This control identifies all the privileged Pods.", + "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", + "rules": [ + { + "guid": "", + "name": "rule-privilege-escalation", + "attributes": { + "armoBuiltin": true, + "m$K8sThreatMatrix": "Privilege Escalation::privileged container", + "mitre": "Privilege Escalation", + "mitreCode": "TA0004" + }, + "creationTime": "", + "rule": "package armo_builtins\n# Deny mutating action unless user is in group owning the resource\n\n\n#privileged pods\ndeny[msga] {\n\n\tpod := input[_]\n\tpod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"the following pods are defined as privileged: %v\", [pod.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [pod]\n\t\t}\n }\n}\n\n\n#handles majority of workload resources\ndeny[msga] {\n\twl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n\tcontainer := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"%v: %v is defined as privileged:\", [wl.kind, wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\n#handles cronjob\ndeny[msga] {\n\twl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer := wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n\tpath := isPrivilegedContainer(container, i, beggining_of_path)\n\n msga := {\n\t\t\"alertMessage\": sprintf(\"the following cronjobs are defined as privileged: %v\", [wl.metadata.name]),\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertScore\": 3,\n\t\t\"fixPaths\": [],\n\t\t\"failedPaths\": path,\n \"alertObject\": {\n\t\t\t\"k8sApiObjects\": [wl]\n\t\t}\n }\n}\n\n\n# Only SYS_ADMIN capabilite\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tnot container.securityContext.privileged == true\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path) \u003e 0\n}\n\n# Only securityContext.privileged == true\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tcontainer.securityContext.privileged == true\n\tpath1 = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path1) \u003c 1\n\tpath = [sprintf(\"%vcontainers[%v].securityContext.privileged\", [beggining_of_path, format_int(i, 10)])]\n}\n\n# SYS_ADMIN capabilite \u0026\u0026 securityContext.privileged == true\nisPrivilegedContainer(container, i, beggining_of_path) = path {\n\tpath1 = [sprintf(\"%vcontainers[%v].securityContext.capabilities.add[%v]\", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == \"SYS_ADMIN\"]\n\tcount(path1) \u003e 0\n\tcontainer.securityContext.privileged == true\n\tpath = array.concat(path1, [sprintf(\"%vcontainers[%v].securityContext.privileged\", [beggining_of_path, format_int(i, 10)])])\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "determines if pods/deployments defined as privileged true", + "remediation": "avoid defining pods as privilleged", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 8 + }, + { + "guid": "", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Persistence", + "Impact - Data access in container" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0058", + "creationTime": "", + "description": "A user may be able to create a container with subPath or subPathExpr volume mounts to access files \u0026 directories anywhere on the host filesystem. Following Kubernetes versions are affected: v1.22.0 - v1.22.1, v1.21.0 - v1.21.4, v1.20.0 - v1.20.10, version v1.19.14 and lower. This control checks the vulnerable versions and the actual usage of the subPath feature in all Pods in the cluster. If you want to learn more about the CVE, please refer to the CVE link: https://nvd.nist.gov/vuln/detail/CVE-2021-25741", + "remediation": "To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, or remove any existing Pods using subPath or subPathExpr feature.", + "rules": [ + { + "guid": "", + "name": "Symlink-Exchange-Can-Allow-Host-Filesystem-Access", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n pod := input[_]\n pod.kind == \"Pod\"\n\tcontainer := pod.spec.containers[i]\n\tbeggining_of_path := \"spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr\", [container.name, pod.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [pod]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n container := wl.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.template.spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n \n\tmsga := {\n\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n is_vulnerable_version(current_version)\n wl := input[_]\n\twl.kind == \"CronJob\"\n\tcontainer = wl.spec.jobTemplate.spec.template.spec.containers[i]\n\tbeggining_of_path := \"spec.jobTemplate.spec.template.spec.\"\n final_path := is_sub_path_container(container, i, beggining_of_path)\n \n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr\", [container.name, wl.kind, wl.metadata.name]),\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": final_path,\n\t\t\t\"fixPaths\": [],\n\t\t}\n}\n\n\n\nis_sub_path_container(container, i, beggining_of_path) = path {\n\tpath = [sprintf(\"%vcontainers[%v].volumeMounts[%v].subPath\" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath]\n\tcount(path) \u003e 0\n}\n\nis_vulnerable_version(version) {\n version \u003c= \"v1.19.14\"\n}\n\nis_vulnerable_version(version){\n version \u003e= \"v1.22.0\"\n version \u003c= \"v1.22.1\"\n}\n\n\nis_vulnerable_version(version){\n version \u003e= \"v1.21.0\"\n version \u003c= \"v1.21.4\"\n}\n\n\nis_vulnerable_version(version){\n version \u003e= \"v1.20.0\"\n version \u003c= \"v1.20.9\"\n}\n\nis_vulnerable_version(version){\n\tversion == \"v1.20.10\"\n}\n\n\n", + "resourceEnumerator": "package armo_builtins\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n pod := input[_]\n pod.kind == \"Pod\"\n\n\tmsga := {\n\t\t\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [pod]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n wl := input[_]\n\tspec_template_spec_patterns := {\"Deployment\",\"ReplicaSet\",\"DaemonSet\",\"StatefulSet\",\"Job\"}\n\tspec_template_spec_patterns[wl.kind]\n \n\tmsga := {\n\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\n\ndeny[msga] {\n\tnodes := input[_]\n\tcurrent_version := nodes.status.nodeInfo.kubeletVersion\n isVulnerableVersion(current_version)\n\tversionPath = \"status.nodeInfo.kubeletVersion\"\n wl := input[_]\n\twl.kind == \"CronJob\"\n \n\tmsga := {\n\t\t\"alertMessage\": \"\",\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [wl]},\n\t\t\t\"failedPaths\": [\"\"],\n\t}\n}\n\n\nisVulnerableVersion(version) {\n version \u003c= \"v1.19.14\"\n}\n\nisVulnerableVersion(version){\n version \u003e= \"v1.22.0\"\n version \u003c= \"v1.22.1\"\n}\n\n\nisVulnerableVersion(version){\n version \u003e= \"v1.21.0\"\n version \u003c= \"v1.21.4\"\n}\n\n\nisVulnerableVersion(version){\n version \u003e= \"v1.20.0\"\n version \u003c= \"v1.20.9\"\n}\n\nisVulnerableVersion(version){\n\tversion == \"v1.20.10\"\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "Node" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "A user may be able to create a container with subPath volume mounts to access files \u0026 directories outside of the volume, including on the host filesystem. This was affected at the following versions: v1.22.0 - v1.22.1, v1.21.0 - v1.21.4, v1.20.0 - v1.20.10, version v1.19.14 and lower. ", + "remediation": "To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature.", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Initial access", + "Execution" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0059", + "creationTime": "", + "description": "Security issue in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (see more at https://github.com/kubernetes/ingress-nginx/issues/7837)", + "remediation": "To mitigate this vulnerability: 1. Upgrade to a version that allows mitigation (\u003e= v0.49.1 or \u003e= v1.0.1), 2. Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx", + "rules": [ + { + "guid": "", + "name": "nginx-ingress-snippet-annotation-vulnerability", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\ndeny[msga] {\n\tdeployment := input[_]\n\tdeployment.kind == \"Deployment\"\n\timage := deployment.spec.template.spec.containers[i].image\n\tis_nginx_image(image)\n\tis_tag_image(image)\n\n\t# Extracting version from image tag\n\ttag_version_match := regex.find_all_string_submatch_n(\"[0-9]+\\\\.[0-9]+\\\\.[0-9]+\", image, -1)[0][0]\n image_version_str_arr := split(tag_version_match,\".\")\n\timage_version_arr := [to_number(image_version_str_arr[0]),to_number(image_version_str_arr[1]),to_number(image_version_str_arr[2])]\n\n\t# Check if vulnerable \n\tis_vulnerable(image_version_arr, deployment.metadata.namespace)\n\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25742. Deployment %v\", [deployment.metadata.name]),\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"fixPaths\":[],\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [deployment]},\n\t\t}\n}\n\n\t\nis_nginx_image(image) {\n\tcontains(image, \"nginx-controller\")\n}\n\nis_nginx_image(image) {\n\tcontains(image, \"ingress-controller\")\n}\n\nis_nginx_image(image) {\n\tcontains(image, \"ingress-nginx\")\n}\n\nis_allow_snippet_annotation_on(namespace) {\n configmaps := [configmap | configmap = input[_]; configmap.kind == \"ConfigMap\"]\n\tconfigmap_on_ingress_namespace := [configmap | configmap= configmaps[_]; configmap.metadata.namespace == namespace]\n\tconfig_maps_with_snippet := [configmap | configmap= configmap_on_ingress_namespace[_]; configmap.data[\"allow-snippet-annotations\"] == \"false\"]\n\tcount(config_maps_with_snippet) \u003c 1\n}\n\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 0\n\timage_version[1] \u003c 49\n\tis_allow_snippet_annotation_on(namespace)\n}\n\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 0\n\timage_version[1] == 49\n\timage_version[2] == 0\n\tis_allow_snippet_annotation_on(namespace)\n}\n\t\nis_vulnerable(image_version, namespace) {\n\timage_version[0] == 1\n\timage_version[1] == 0\n\timage_version[2] == 0\n\tis_allow_snippet_annotation_on(namespace)\n}\n\nis_tag_image(image) {\n reg := \":[\\\\w][\\\\w.-]{0,127}(\\/)?\"\n version := regex.find_all_string_submatch_n(reg, image, -1)\n v := version[_]\n img := v[_]\n not endswith(img, \"/\")\n}", + "resourceEnumerator": "package armo_builtins\n\ndeny[msga] {\n\tdeployment := input[_]\n\tdeployment.kind == \"Deployment\"\n\timage := deployment.spec.template.spec.containers[i].image\n\tisNginxImage(image)\n\tis_tag_image(image)\n\tisVulnerable(image, deployment.metadata.namespace)\n\tpath := sprintf(\"spec.template.spec.containers[%v].image\", [format_int(i, 10)])\n\tmsga := {\n\t\t\t\"alertMessage\": sprintf(\"You may be vulnerable to CVE-2021-25742. %v\", [deployment]),\n\t\t\t\"failedPaths\": [path],\n\t\t\t\"alertObject\": {\"k8SApiObjects\": [deployment]},\n\t\t}\n}\n\n\t\nisNginxImage(image) {\n\tcontains(image, \"nginx-controller\")\n}\n\nisNginxImage(image) {\n\tcontains(image, \"ingress-controller\")\n}\n\nisNginxImage(image) {\n\tcontains(image, \"ingress-nginx\")\n}\n\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n startswith(tag, \"v\")\n tag \u003c= \"v0.49\"\n}\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n startswith(tag, \"v\")\n tag == \"v1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n startswith(tag, \"v\")\n\ttag \u003c= \"v0.49\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n startswith(tag, \"v\")\n\ttag == \"v1.0.0\"\n}\n\n###### without 'v'\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n not startswith(tag, \"v\")\n tag \u003c= \"0.49\"\n}\n\t\nisVulnerable(image, namespace) {\n\tcontains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := split(version[count(version)-2], \"@\")[0]\n not startswith(tag, \"v\")\n tag == \"1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n not startswith(tag, \"v\")\n\ttag \u003c= \"0.49\"\n}\nisVulnerable(image, namespace) {\n\tnot contains(image, \"@\")\n\tversion := split(image, \":\")\n\ttag := version[count(version)-1]\n not startswith(tag, \"v\")\n\ttag == \"1.0.0\"\n}\n\nisVulnerable(image, namespace) {\n configmaps := [configmap | configmap = input[_]; configmap.kind == \"ConfigMap\"]\n\tconfigmapOnIngressNamespace := [configmap | configmap= configmaps[_]; configmap.metadata.namespace == namespace]\n\tconfigMapsWithSnippet := [configmap | configmap= configmapOnIngressNamespace[_]; configmap.data[\"allow-snippet-annotations\"] == \"false\"]\n\tcount(configMapsWithSnippet) \u003c 1\n}\n\n\nis_tag_image(image) {\n reg := \":[\\\\w][\\\\w.-]{0,127}(\\/)?\"\n version := regex.find_all_string_submatch_n(reg, image, -1)\n v := version[_]\n img := v[_]\n not endswith(img, \"/\")\n}", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "*" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Deployment", + "ConfigMap" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 8 + }, + { + "guid": "", + "name": "Secret/ETCD encryption enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "node", + "categories": [ + "Impact" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0066", + "creationTime": "", + "description": "All Kubernetes Secrets are stored primarily in etcd therefore it is important to encrypt it.", + "remediation": "Turn on the etcd encryption in your cluster, for more see the vendor documentation.", + "rules": [ + { + "guid": "", + "name": "secret-etcd-encryption-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if encryption in etcd in enabled for EKS\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"eks.amazonaws.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"eks\"\t\n\tconfig = cluster_config.data\n\n\tis_not_encrypted_EKS(config)\n \n\t\n\tmsga := {\n\t\t\"alertMessage\": \"etcd/secret encryption is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"eksctl utils enable-secrets-encryption --cluster=\u003ccluster\u003e --key-arn=arn:aws:kms:\u003ccluster_region\u003e:\u003caccount\u003e:key/\u003ckey\u003e --region=\u003cregion\u003e\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}\n\n\n\n# Check if encryption in etcd in enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"gke\"\t\n\tconfig := cluster_config.data\n\n\tnot is_encrypted_GKE(config)\n \n\t\n\tmsga := {\n\t\t\"alertMessage\": \"etcd/secret encryption is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [\"data.database_encryption.state\"],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"gcloud container clusters update \u003ccluster_name\u003e --region=\u003ccompute_region\u003e --database-encryption-key=\u003ckey_project_id\u003e/locations/\u003clocation\u003e/keyRings/\u003cring_name\u003e/cryptoKeys/\u003ckey_name\u003e --project=\u003ccluster_project_id\u003e\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}\n\nis_encrypted_GKE(config) {\n\t config.database_encryption.state == \"1\"\n}\nis_encrypted_GKE(config) {\n\t config.database_encryption.state == \"ENCRYPTED\"\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tencryptionConfig := cluster_config.Cluster.EncryptionConfig[_]\n goodResources := [resource | resource = cluster_config.Cluster.EncryptionConfig.Resources[_]; resource == \"secrets\"]\n\tcount(goodResources) == 0\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tcluster_config.Cluster.EncryptionConfig == null\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tcount(cluster_config.Cluster.EncryptionConfig) == 0\n}\n\nis_not_encrypted_EKS(cluster_config) {\n\tencryptionConfig := cluster_config.Cluster.EncryptionConfig[_]\n count(encryptionConfig.Resources) == 0\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "etcd-encryption-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport data.cautils as cautils\n\n# Check if encryption in etcd is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n\tcmd := apiserverpod.spec.containers[0].command\n\tenc_command := [command | command := cmd[_]; contains(command, \"--encryption-provider-config=\")]\n\tcount(enc_command) \u003c 1\n\tpath := \"spec.containers[0].command\"\n\n\tmsga := {\n\t\t\"alertMessage\": \"etcd encryption is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\"k8sApiObjects\": [apiserverpod]},\n\t}\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 6 + }, + { + "guid": "", + "name": "Audit logs enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "container", + "categories": [ + "Defense evasion - KubeAPI" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0067", + "creationTime": "", + "description": "Audit logging is an important security feature in Kubernetes, it enables the operator to track requests to the cluster. It is important to use it so the operator has a record of events happened in Kubernetes", + "remediation": "Turn on audit logging for your cluster. Look at the vendor guidelines for more details", + "rules": [ + { + "guid": "", + "name": "k8s-audit-logs-enabled-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\nimport future.keywords.every\n\n# =============================== GKE ===============================\n# Check if audit logs is enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n\tcluster_config.metadata.provider == \"gke\"\n\tconfig := cluster_config.data\n\n\t# If enableComponents is empty, it will disable logging\n\t# https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#loggingcomponentconfig\n\tis_logging_disabled(config)\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is disabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": cluster_config,\n\t\t},\n\t}\n}\n\nis_logging_disabled(cluster_config) {\n\tnot cluster_config.logging_config.component_config.enable_components\n}\n\nis_logging_disabled(cluster_config) {\n\tcluster_config.logging_config.component_config.enable_components\n\tcount(cluster_config.logging_config.component_config.enable_components) == 0\n}\n\n# =============================== EKS ===============================\n# Check if audit logs is enabled for EKS\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"eks.amazonaws.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n\tcluster_config.metadata.provider == \"eks\"\n\tconfig := cluster_config.data\n\n\t# logSetup is an object representing the enabled or disabled Kubernetes control plane logs for your cluster.\n\t# types - available cluster control plane log types\n\t# https://docs.aws.amazon.com/eks/latest/APIReference/API_LogSetup.html\n\tlogging_types := {\"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler\"}\n\tlogSetups = config.Cluster.Logging.ClusterLogging\n\tnot all_auditlogs_enabled(logSetups, logging_types)\n\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is disabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixCommand\": \"aws eks update-cluster-config --region '${REGION_CODE}' --name '${CLUSTER_NAME}' --logging '{'clusterLogging':[{'types':['api','audit','authenticator','controllerManager','scheduler'],'enabled':true}]}'\",\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": cluster_config,\n\t\t},\n\t}\n}\n\nall_auditlogs_enabled(logSetups, types) {\n\tevery type in types {\n\t\tauditlogs_enabled(logSetups, type)\n\t}\n}\n\nauditlogs_enabled(logSetups, type) {\n\tlogSetup := logSetups[_]\n\tlogSetup.Enabled == true\n\tlogSetup.Types[_] == type\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "k8s-audit-logs-enabled-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.cautils as cautils\n\n# Check if audit logs is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n cmd := apiserverpod.spec.containers[0].command\n\taudit_policy := [ command |command := cmd[_] ; contains(command, \"--audit-policy-file=\")]\n count(audit_policy) \u003c 1\n\tpath := \"spec.containers[0].command\"\t\n\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"audit logs is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [apiserverpod],\n\t\t\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 5 + }, + { + "guid": "", + "name": "PSP enabled", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Impact - service injection" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0068", + "creationTime": "", + "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", + "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", + "rules": [ + { + "guid": "", + "name": "psp-enabled-cloud", + "attributes": { + "armoBuiltin": true + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if PSP is enabled for GKE\ndeny[msga] {\n\tcluster_config := input[_]\n\tcluster_config.apiVersion == \"container.googleapis.com/v1\"\n\tcluster_config.kind == \"ClusterDescribe\"\n cluster_config.metadata.provider == \"gke\"\t\n\tconfig := cluster_config.data\n not config.pod_security_policy_config.enabled == true\n\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"pod security policy configuration is not enabled\",\n\t\t\"alertScore\": 3,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"fixCommand\": \"gcloud beta container clusters update \u003ccluster_name\u003e --enable-pod-security-policy\",\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n \"externalObjects\": cluster_config\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "container.googleapis.com", + "eks.amazonaws.com" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "ClusterDescribe" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": [ + "EKS", + "GKE" + ] + }, + { + "guid": "", + "name": "psp-enabled-native", + "attributes": { + "armoBuiltin": true, + "resourcesAggregator": "apiserver-pod", + "useFromKubescapeVersion": "v1.0.133" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n\n# Check if psp is enabled for native k8s\ndeny[msga] {\n\tapiserverpod := input[_]\n cmd := apiserverpod.spec.containers[0].command[j]\n contains(cmd, \"--enable-admission-plugins=\")\n output := split(cmd, \"=\")\n not contains(output[1], \"PodSecurityPolicy\")\n\tpath := sprintf(\"spec.containers[0].command[%v]\", [format_int(j, 10)])\t\n\t\n\tmsga := {\n\t\t\"alertMessage\": \"PodSecurityPolicy is not enabled\",\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"failedPaths\": [path],\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [apiserverpod],\n\t\t\n\t\t}\n\t}\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "", + "" + ], + "baseScore": 1 + }, + { + "guid": "", + "name": "Disable anonymous access to Kubelet service", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "kubeapi", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0069", + "creationTime": "", + "description": "By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.", + "remediation": "Start the kubelet with the --anonymous-auth=false flag.", + "rules": [ + { + "guid": "", + "name": "anonymous-requests-to-kubelet-service-updated", + "attributes": { + "armoBuiltin": true, + "hostSensorRule": "true" + }, + "creationTime": "", + "rule": "package armo_builtins\n\n#CIS 4.2.1 https://workbench.cisecurity.org/sections/1126668/recommendations/1838638\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tcontains(command, \"--anonymous-auth\")\n\tcontains(command, \"--anonymous-auth=true\")\n\n\texternal_obj := json.filter(obj, [\"apiVersion\", \"data/cmdLine\", \"kind\", \"metadata\"])\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": external_obj},\n\t}\n}\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tnot contains(command, \"--config\")\n\n\texternal_obj := json.filter(obj, [\"apiVersion\", \"data/cmdLine\", \"kind\", \"metadata\"])\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": external_obj},\n\t}\n}\n\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tcontains(command, \"--config\")\n\n\tdecodedConfigContent := base64.decode(obj.data.configFile.content)\n\tyamlConfig := yaml.unmarshal(decodedConfigContent)\n\tnot yamlConfig.authentication.anonymous.enabled == false\n\n\tmsga := {\n\t\t\"alertMessage\": \"Anonymous requests is enabled.\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [\"authentication.anonymous.enabled\"],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": {\n\t\t\t\"apiVersion\": obj.apiVersion,\n\t\t\t\"kind\": obj.kind,\n\t\t\t\"metadata\": obj.metadata,\n\t\t\t\"data\": {\"configFile\": {\"content\": decodedConfigContent}},\n\t\t}},\n\t}\n}\n\n## Host sensor failed to get config file content\ndeny[msga] {\n\tobj := input[_]\n\tis_kubelet_info(obj)\n\n\tcommand := obj.data.cmdLine\n\n\tnot contains(command, \"--anonymous-auth\")\n\tcontains(command, \"--config\")\n\n\tnot obj.data.configFile.content\n\n\tmsga := {\n\t\t\"alertMessage\": \"Failed to analyze config file\",\n\t\t\"alertScore\": 7,\n\t\t\"failedPaths\": [],\n\t\t\"fixPaths\": [],\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"alertObject\": {\"externalObjects\": {\n\t\t\t\"apiVersion\": obj.apiVersion,\n\t\t\t\"kind\": obj.kind,\n\t\t\t\"data\": obj.data,\n\t\t}},\n\t}\n}\n\nis_kubelet_info(obj) {\n\tobj.kind == \"KubeletInfo\"\n\tobj.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n}\n", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "hostdata.kubescape.cloud" + ], + "apiVersions": [ + "v1beta0" + ], + "resources": [ + "KubeletInfo" + ] + } + ], + "ruleDependencies": [], + "configInputs": null, + "controlConfigInputs": null, + "description": "Determines if anonymous requests to the kubelet service are allowed.", + "remediation": "Disable anonymous requests by setting the anonymous-auth flag to false, or using the kubelet configuration file.", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 10 + }, + { + "guid": "", + "name": "Enforce Kubelet client TLS authentication", + "attributes": { + "armoBuiltin": true, + "attackTracks": [ + { + "attackTrack": "node", + "categories": [ + "Initial access" + ] + } + ], + "controlTypeTags": [ + "security", + "compliance" + ] + }, + "controlID": "C-0070", + "creationTime": "", + "description": "Kubelets are the node level orchestrator in Kubernetes control plane. They are publishing service port 10250 where they accept commands from API server. Operator must make sure that only API server is allowed to submit commands to Kubelet. This is done through client certificate verification, must configure Kubelet with client CA file to use for this purpose.", + "remediation": "Start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with.", + "rules": [ + { + "guid": "", + "name": "enforce-kubelet-client-tls-authentication", + "attributes": { + "armoBuiltin": true, + "hostSensorRule": "true" + }, + "creationTime": "", + "rule": "package armo_builtins\nimport data.kubernetes.api.client as client\n\n# Both config and cli present\ndeny[msga] {\n\t\tkubelet_config := input[_]\n\t\tkubelet_config.kind == \"KubeletConfiguration\"\n\t\tkubelet_config.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\t\tkubelet_cli := input[_] \n\t\tkubelet_cli.kind == \"KubeletCommandLine\"\n\t\tkubelet_cli.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\t\tkubelet_cli_data := kubelet_cli.data\n\n\t\tresult := is_client_tls_disabled_both(kubelet_config, kubelet_cli_data)\n\t\texternal_obj := result.obj\n\t\tfailed_paths := result.failedPaths\n\t\tfixPaths := result.fixPaths\n\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": \"kubelet client TLS authentication is not enabled\",\n\t\t\t\"alertScore\": 2,\n\t\t\t\"failedPaths\": failed_paths,\n\t\t\t\"fixPaths\": fixPaths,\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [kubelet_config, kubelet_cli]\n\t\t\t},\n\t\t}\n\t}\n\n\n# Only of them present\ndeny[msga] {\n\t\tresult := is_client_tls_disabled_single(input)\n\t\texternal_obj := result.obj\n\t\tfailed_paths := result.failedPaths\n\t\tfixPaths := result.fixPaths\n\n\t\tmsga := {\n\t\t\t\"alertMessage\": \"kubelet client TLS authentication is not enabled\",\n\t\t\t\"alertScore\": 2,\n\t\t\t\"failedPaths\": failed_paths,\n\t\t\t\"fixPaths\": fixPaths,\n\t\t\t\"packagename\": \"armo_builtins\",\n\t\t\t\"alertObject\": {\n\t\t\t\t\"k8sApiObjects\": [external_obj]\n\t\t\t},\n\t\t}\n\t}\n\n# CLI overrides config\nis_client_tls_disabled_both(kubelet_config, kubelet_cli_data) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": [{\"path\": \"data.authentication.x509.clientCAFile\", \"value\": \"YOUR_VALUE\"}]} {\n\tnot contains(kubelet_cli_data[\"fullCommand\"], \"client-ca-file\")\n not kubelet_config.data.authentication.x509.clientCAFile\n\tobj = kubelet_config\n}\n\n# Only cli\nis_client_tls_disabled_single(resources) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": []} {\n\tkubelet_cli := resources[_] \n\tkubelet_cli.kind == \"KubeletCommandLine\"\n\tkubelet_cli.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\tkubelet_config := [config | config = resources[_]; config.kind == \"KubeletConfiguration\"]\n\tcount(kubelet_config) == 0\n\n\tobj = isClientTlsDisabledCli(kubelet_cli)\n\t\n}\n\n# Only config\nis_client_tls_disabled_single(resources) = {\"obj\": obj,\"failedPaths\": [], \"fixPaths\": [{\"path\": \"data.authentication.x509.clientCAFile\", \"value\": \"YOUR_VALUE\"}]} {\n\tkubelet_config := resources[_] \n\tkubelet_config.kind == \"KubeletConfiguration\"\n\tkubelet_config.apiVersion == \"hostdata.kubescape.cloud/v1beta0\"\n\n\tkubelet_cmd := [cmd | cmd = resources[_]; cmd.kind == \"KubeletCommandLine\"]\n\tcount(kubelet_cmd) == 0\n\n\tobj = is_Client_tls_disabled_config(kubelet_config)\n}\n\n\nis_Client_tls_disabled_config(kubelet_config) = obj {\n\tnot kubelet_config.data.authentication.x509.clientCAFile\n\tobj = kubelet_config\n}\n\nisClientTlsDisabledCli(kubelet_cli) = obj {\n\tkubelet_cli_data = kubelet_cli.data\n\tnot contains(kubelet_cli_data[\"fullCommand\"], \"client-ca-file\")\n\tobj = kubelet_cli\n}", + "resourceEnumerator": "", + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [], + "apiVersions": [], + "resources": [] + } + ], + "dynamicMatch": [ + { + "apiGroups": [ + "hostdata.kubescape.cloud" + ], + "apiVersions": [ + "v1beta0" + ], + "resources": [ + "KubeletConfiguration", + "KubeletCommandLine" + ] + } + ], + "ruleDependencies": [ + { + "packageName": "cautils" + }, + { + "packageName": "kubernetes.api.client" + } + ], + "configInputs": null, + "controlConfigInputs": null, + "description": "Determines if kubelet client tls authentication is enabled.", + "remediation": "Start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with.", + "ruleQuery": "", + "relevantCloudProviders": null + } + ], + "rulesIDs": [ + "" + ], + "baseScore": 9 + } + ], + "controlsIDs": [ + "C-0002", + "C-0005", + "C-0009", + "C-0012", + "C-0013", + "C-0016", + "C-0017", + "C-0030", + "C-0034", + "C-0035", + "C-0038", + "C-0041", + "C-0044", + "C-0046", + "C-0054", + "C-0055", + "C-0057", + "C-0058", + "C-0059", + "C-0066", + "C-0067", + "C-0068", + "C-0069", + "C-0070" + ] + } + ], + "Exceptions": [ + { + "guid": "a97d2399-6ad4-44b6-9f41-1d42520e694b", + "name": "exception_C-0017_hipster_6f56c65e06958f7430b5c06f8632b81e", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-10-25T09:29:27.188399", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "minikube", + "namespace": "hipster" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "9680b02e-96c4-4602-8a3b-fc2ddf0a19d2", + "name": "exception_C-0017_kube-system_dba22d3f25c3f9733fd5f5454cadb853", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-10-28T13:50:36.059854", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-memory-test", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "62c06020-5c7d-4480-8bf5-876a89efd28c", + "name": "exception_C-0017_online-boutique_312d0ce3a4e14c00e6281b45b3584e86", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-10-28T13:50:39.470026", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-memory-test", + "namespace": "online-boutique" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "7563c05e-2a0a-4509-885f-48ba359d5a85", + "name": "exception_C-0055_kube-system_3ef567674f0692083d1c337a532bc44e", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-17T12:50:28.012002", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "c8a8042d-e803-493b-b80e-af2f505d5d75", + "name": "exception_C-0057_kube-system_91d51e4ab532493f5bafbef22d682e7c", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:11.788426", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "18db55d4-2416-42ce-be23-b222da0d5b57", + "name": "exception_C-0057_hipster_4af38d971069b798ce73f9745fee7610", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:14.521466", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "namespace": "hipster" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "49d8e353-bb45-427c-9cea-15c4fb30653d", + "name": "exception_C-0011_kube-system_79df9f0bd3ae22441ca6689b504f10bf", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:36.068483", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "kind": "Namespace", + "name": "kube-system", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Network policies" + } + ] + }, + { + "guid": "3b325bfa-6859-4bec-9066-499ca79cb39b", + "name": "exception_C-0011_kube-node-lease_03700c7a06ae71d471034e27832653f5", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:38.302386", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "kind": "Namespace", + "name": "kube-node-lease", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Network policies" + } + ] + }, + { + "guid": "f8dc101a-e001-4511-afd3-664b3cb590fc", + "name": "exception_C-0011_default_62830e3a9b31a63572dee99f7eaa3b57", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:39.573939", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "kind": "Namespace", + "name": "default", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Network policies" + } + ] + }, + { + "guid": "7508c8a3-e1d6-45d3-aaeb-f134be5ec167", + "name": "exception_C-0011_hipster_531030970a7ea47d1c3ee8012be8aa5b", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:41.037243", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "kind": "Namespace", + "name": "hipster", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Network policies" + } + ] + }, + { + "guid": "160c6696-86a5-4499-9b2c-0729fbb44da1", + "name": "exception_C-0011_kube-public_ee2e166d6d99a66211c1b065fb9ecceb", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-11-18T10:33:42.958115", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_ben-kubescape-demo-01", + "kind": "Namespace", + "name": "kube-public", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Network policies" + } + ] + }, + { + "guid": "796de7e6-875e-46b6-b851-e11454061950", + "name": "exception_C-0055_armo-scan-scheduler_b15a41c3e2e38b991676d19df47fce6b", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-12-28T17:50:23.611330", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "CronJob", + "name": "armo-scan-scheduler", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "f94bc6f8-ab43-4f72-a720-ee08284185c0", + "name": "exception_C-0055_armo-web-socket_da76e5e96d6625eaf671728913fc1ea0", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-12-28T17:54:09.923913", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-web-socket", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "de591ee3-6c04-497f-9f09-4483d5d5c8b3", + "name": "exception_C-0055_armo-vuln-scan_95d1a88d44b60161348a6f30f3b85139", + "policyType": "postureExceptionPolicy", + "creationTime": "2021-12-28T17:54:10.221312", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-vuln-scan", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "6bc7f358-b661-423d-8615-192bcc750d7d", + "name": "exception_C-0055_armo-system_6aebe3fc6ab4fb9bc5e862d966b18bb1", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2021-12-28T17:57:35.512179", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "774b7221-b1df-4b3c-8239-578a481759e8", + "name": "exception_C-0055_ca-production_0509d62196b0989bfed9a1e09b5dceec", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:07.909378", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "76d110e7-1ede-4287-a4fa-7e6d16bf1a9d", + "name": "exception_C-0055_cert-manager_1740af34d187f6c3224961ae5936c200", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:15.310149", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "cert-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "c11ccb6d-06af-4877-961f-5494b03ac29b", + "name": "exception_C-0055_kube-system_8cb6b1d4d502c13b7506bf94074e016f", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:16.990740", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "bd059ce0-aa59-40b7-aa29-a805bfcc3e7b", + "name": "exception_C-0055_kubernetes-dashboard_c5ee29d5de8cd6ecdc1d1e7859fbcd83", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:18.387539", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "kubernetes-dashboard" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "5e8d5109-a04d-4ed5-82c7-2702e01285cf", + "name": "exception_C-0055_logging_06411a501e0f8cce69313859242d341f", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:20.056637", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "logging" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "d900f237-1e60-46cd-9e29-976fbf84ed6b", + "name": "exception_C-0055_monitoring_8292aecab8c65b92b838fb99effb48f2", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-03T07:59:20.748649", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "monitoring" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "2f1ec656-5c8e-47ca-ae70-9be0fbca3af8", + "name": "exception_C-0017_cert-manager_97ca325e24378b975cda412fcdb9e386", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-05T15:55:00.143870", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "cert-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "1e997c26-bb42-4efb-923f-f8a30e422e21", + "name": "exception_C-0017_fission-builder_229ae178320a0f2292cfe027a9cc97fb", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-05T15:55:07.096608", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "fission-builder" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "61e0d194-1c8f-4af0-b3da-b14f24e22469", + "name": "exception_C-0017_fission-function_02a2886ad4242ea1758bff318b7f1560", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-05T15:55:09.136050", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "ed6b674c-bd80-4554-bcdf-7c8663e9ca30", + "name": "exception_C-0017_ingress-nginx_9b4f47a1375d964d19ff20a2b97bed54", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-05T15:55:10.072057", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "ingress-nginx" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "f5a0aace-3b51-451e-848c-17786eb69011", + "name": "exception_C-0038_kube-prometheus-stack-prometheus-node-exporter_b64faed2ee808d9f74ae584deebb4971", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-01-09T08:20:18.131572", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "namespace": "monitoring" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Host PID/IPC privileges" + } + ] + }, + { + "guid": "ccd2435e-6fdb-4389-b523-32508e7d80e0", + "name": "exception_C-0012_ca-selfregister_3672f343a9330a1dee81e1dcd308423c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:13:21.050629", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-selfregister", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "b711fd52-11b3-4943-b148-2e6939b08a15", + "name": "exception_C-0012_portal-mongodb-arbiter_804ca5f01ac4c9b511d44b9ae62575d6", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:13:32.959498", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "StatefulSet", + "name": "portal-mongodb-arbiter", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "c48818f6-9766-4f51-80d4-45d372e4dcb1", + "name": "exception_C-0012_keycloak_a39a409074b8e9f28ac496fe89e83aa7", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:01.517006", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "keycloak", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "6705dcc6-c6f2-4af7-849c-c43f925b7c5c", + "name": "exception_C-0012_portal-mongodb_216ee1cc931d45dae4353190c4969d12", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:13.167099", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "StatefulSet", + "name": "portal-mongodb", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "fbf9086e-6c65-4100-b7ec-054eec9ba68d", + "name": "exception_C-0057_aws-node_9e3a57b7172afe3df85725159c791787", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:40.162055", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "f124831e-ac8b-4dd4-8214-f5055819148d", + "name": "exception_C-0057_kube-proxy_7f7a9dc93d963cc9c4c8673656a0684f", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:41.588288", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "4e2a4000-6a80-4fbd-8aab-0f98c56b7942", + "name": "exception_C-0006_aws-node_264c8eb88943b03056468e65fa69d3e4", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:53.241704", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "3836f22a-f851-4dd8-915c-334202475990", + "name": "exception_C-0006_kube-proxy_ec63b0e9a75fb1a2472c03a910db285c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:14:53.793033", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "6303eba2-e146-4e81-baaf-dd88fb6dcfec", + "name": "exception_C-0006_promtail_1bc38c691a84aacee73dd9ea42e9efc4", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-07T08:15:03.409831", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "promtail", + "namespace": "logging" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "3e6d176f-5f0c-4478-9a83-fc84f785dbcb", + "name": "exception_C-0044_aws-node_ca029ca565ffb56e7b275c517c76b50d", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-09T08:25:07.483814", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Container hostPort" + } + ] + }, + { + "guid": "a60f33d3-d7da-4f63-bb99-15584f2bdf63", + "name": "exception_C-0044_kube-prometheus-stack-prometheus-node-exporter_5796ffc8a131d1e79d4d496124ab454f", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-09T08:25:11.816487", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "namespace": "monitoring" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Container hostPort" + } + ] + }, + { + "guid": "d7d3272c-62de-4d9e-936b-db32c763b50b", + "name": "exception_C-0055_fission_6ff719c67f10303ca6b362cc25c71d65", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-09T08:25:35.440390", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "fission" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "66e55d00-2b98-43ef-889f-3e7067206f3b", + "name": "exception_C-0055_fission-builder_24d013dea21aa1dc206b8bdc8724d3b3", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-09T08:25:36.945969", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "fission-builder" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "a5c2ffd5-9b45-4583-a237-78f367ad680b", + "name": "exception_C-0055_fission-function_ffe969eb4394e5235d149abdc7ab7516", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-09T08:25:37.694769", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Linux hardening" + } + ] + }, + { + "guid": "aa26a17d-eed2-4135-a515-b59ea4fe8412", + "name": "exception_C-0017_armo-system_ea451af84d6e52e86f9ee8353a12d2dd", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-13T11:38:54.588260", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Immutable container filesystem" + } + ] + }, + { + "guid": "cef21139-304c-4047-8580-a39d29ac1bb4", + "name": "exception_C-0018_armo-scan-scheduler_053b65520530a7e423f2776dfce2ce2b", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-16T22:28:53.836263", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "CronJob", + "name": "armo-scan-scheduler", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "DevOpsBest", + "controlName": "Configured readiness probe" + } + ] + }, + { + "guid": "640d4a9a-35df-42c4-8827-a6fd50a30f5e", + "name": "exception_C-0050_armo-scan-scheduler_932d98f0cd3994123238a3f8d837b8e3", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-02-16T22:28:54.466151", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "CronJob", + "name": "armo-scan-scheduler", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "DevOpsBest", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "a41adca7-1565-45dd-98f5-0768efe41fff", + "name": "exception_C-0054_test-prod_59d74a6040fcd146a378560dad31d46a", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-03-31T14:51:33.605437", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "Namespace", + "name": "test-prod", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Cluster internal networking" + } + ] + }, + { + "guid": "a80a764d-160e-4595-b0f1-9088f050c486", + "name": "exception_C-0057_kube-proxy_77bd65bb16181806b13ecc7146552d2b", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-04-27T12:19:55.847406", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "54653e1c-0108-40c7-936f-316843f5bd47", + "name": "exception_C-0057_aws-node_d2bff8f9270ab9abf71a496305b02fc3", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-04-27T12:19:56.835571", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "c8699663-b56e-496c-af10-a3bfb63dde7d", + "name": "exception_C-0057_kube-system_14031bbcd4dd96c62bd3a4057145d9ea", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-05-04T10:59:21.759281", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "02476ec7-885b-4bfc-bf2c-09d3c658438c", + "name": "exception_C-0035_system:masters_role_8a3cdeba550a3a600f9b7897b27b42be", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-05-04T10:59:32.228396", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "ClusterRole", + "name": "cluster-admin", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "257a8c5f-5d7e-4894-aead-6d2799539883", + "name": "exception_C-0046_aws-node_faa3d2fdc366661ccc92fc6ab881e626", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-05-11T14:56:57.654276", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Insecure capabilities" + } + ] + }, + { + "guid": "4d6e2869-e5fa-4030-aede-e0ef7cb2d6b4", + "name": "exception_C-0057_aws-node_e445850956cfd1bca1aed891b14ce136", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-05-18T09:25:06.519603", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "6676d479-8ffe-49ea-9161-28160b787657", + "name": "exception_C-0057_kube-proxy_f687f23dc6e035f8080e7ec6f8b6ba5e", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-05-18T09:25:07.215019", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "0451ab24-f2b0-488d-a851-43c8538868e5", + "name": "exception_C-0002_system:masters_dc900908a8afc2f8260925bd853d925f", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-06-22T08:11:24.970695", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo", + "kind": "Group", + "name": "system:masters", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Exec into container" + } + ] + }, + { + "guid": "dc218785-e714-4cd2-ad29-e9a65507a36d", + "name": "exception_C-0053_fission-fetcher_56c47410e33b84c0705aa6183fdf9872", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-06T07:48:36.008224", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "ServiceAccount", + "name": "fission-fetcher", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Access container service account" + } + ] + }, + { + "guid": "55a37f22-e986-4691-bac4-a3cdde194455", + "name": "exception_C-0039_pod-identity-webhook_96b38676eb82fdadba2ed4fd41d8f782", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-06T07:49:23.268657", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "MutatingWebhookConfiguration", + "name": "pod-identity-webhook", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Malicious admission controller (mutating)" + } + ] + }, + { + "guid": "3dcd5866-327a-4f93-a45b-2241d1aa0b09", + "name": "exception_C-0004_armo-collector_809c095eacc3c9b9ea2767ea0aee41e7", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-24T07:18:44.418769", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-collector", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "7b6f2eee-9192-438f-bd39-d9d21349ed82", + "name": "exception_C-0013_armo-collector_6982cde1ce288f4cac521677a2eed598", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-24T07:18:45.265295", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-collector", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Non-root containers" + } + ] + }, + { + "guid": "29cd514d-c02d-4eef-b28c-eab4f4ff5076", + "name": "exception_C-0030_armo-collector_33ca0ba1a1408a9511cf3240b4df3eb1", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-24T07:18:45.707972", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-collector", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Ingress and Egress blocked" + } + ] + }, + { + "guid": "469b7f6e-5bde-4297-b852-bc9870da94dd", + "name": "exception_C-0016_armo-collector_dc30c8a39d8b38f95103f257d3096907", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-07-24T07:18:46.534017", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "ca-terraform-eks-prod", + "kind": "Deployment", + "name": "armo-collector", + "namespace": "armo-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Allow privilege escalation" + } + ] + }, + { + "guid": "99848e1f-0ca4-4742-9a4c-98af5f0234ab", + "name": "exception_C-0002_system:masters_a69b4baab3d914fffb583fd3df42f36d", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-08-03T08:44:30.913969", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Group", + "name": "system:masters", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Exec into container" + } + ] + }, + { + "guid": "b568d36d-fcd3-4c6e-9497-58ac753487d6", + "name": "exception_C-0034_kube-system_ac3d99f59361c7e2a136fc7170fe1d05", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-08-11T01:42:21.271093", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Automatic mapping of service account" + } + ] + }, + { + "guid": "295f47c1-7db5-4d7b-bb52-755ed350bffb", + "name": "exception_C-0057_kube-proxy_afc7d93c3fd0ebd346e7048d223e3d59", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-08-11T19:12:53.364592", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "0845ccf4-91f6-46bc-9316-2a0502927582", + "name": "exception_C-0035_velero_e1b970948d9d75fd91a41afff5337f46", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-08-29T13:20:07.445409", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "velero" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "9875bce5-ef3f-4dc5-a6a2-90690e7894da", + "name": "exception_C-0063_kube-system_b843704c3fe7a3b73eeaf58c33b03f92", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:16.257483", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Portforwarding privileges" + } + ] + }, + { + "guid": "d12a8a42-28db-4f6e-ade7-bf55132c520a", + "name": "exception_C-0063_velero_4d4ac94d970c8d2556a4405a1990b01e", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:16.640525", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "velero" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Portforwarding privileges" + } + ] + }, + { + "guid": "bb7b693d-0796-483c-bb47-8d51ee6b2a69", + "name": "exception_C-0063_eks-admin_role_a0eb9a637e1b77a02c8b68a0da02c4e5", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:18.094209", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "ClusterRole", + "name": "cluster-admin", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Portforwarding privileges" + } + ] + }, + { + "guid": "18fd615a-74ff-4e43-b212-d49a0b8402f4", + "name": "exception_C-0063_system:masters_428b87f307842f92fa35cd0dfe4fe3d7", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:20.221411", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Group", + "name": "system:masters", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Portforwarding privileges" + } + ] + }, + { + "guid": "133c2e53-9961-49c3-b4e1-addbd5b4cf33", + "name": "exception_C-0035_kube-system_60da50365c6cdccf8c46d9ed5583f999", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:54.617798", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "17382567-e8cd-47b6-ba66-2e7680d50cbc", + "name": "exception_C-0035_velero_a54362aae356ad2f7e9af47b5f1382cd", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:21:55.093594", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "velero" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "88e93318-f893-408c-94ed-571ab6bfd954", + "name": "exception_C-0021_kubernetes-dashboard_6dee066ed2d06c1a73ab91d214e4ede8", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-05T12:27:47.826838", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "kubernetes-dashboard" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Exposed sensitive interfaces" + } + ] + }, + { + "guid": "05c2ae2f-fc69-4b1e-8a1c-6bc8fd191f3a", + "name": "exception_C-0073_poolmgr-python-function-env-default-270589416-69c8fc5947-fvfk8_5f855b1e5e27dc8d7d1a43a5127b8a14", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-07T12:15:37.333764", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Pod", + "name": "poolmgr-python-function-env-default-270589416-69c8fc5947-fvfk8", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Naked PODs" + } + ] + }, + { + "guid": "c74de531-db5b-4113-838a-2d120eb5b6e0", + "name": "exception_C-0073_poolmgr-python-function-env-default-270589416-69c8fc5947-946nt_f5bf615ed6580df31c63d444a9167f72", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-07T12:15:43.280681", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Pod", + "name": "poolmgr-python-function-env-default-270589416-69c8fc5947-946nt", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Naked PODs" + } + ] + }, + { + "guid": "37b47c7b-7dc7-4b53-867d-8dc0cefbb54f", + "name": "exception_C-0006_kube-proxy_162990bb189a751ebff3e6a6122def67", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-08T10:35:03.886697", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "1a08769e-0b72-4260-afb8-1065b7b8104c", + "name": "exception_C-0006_aws-node_113f0678890c00556f7da82b3127d187", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-08T10:35:06.789939", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "9dfd979e-b042-48b5-88f6-727027a68739", + "name": "exception_C-0049_ca-production_c70f11e443580e8787a305e53ea5670b", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-15T13:17:31.092778", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Namespace", + "name": "ca-production", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Network mapping" + } + ] + }, + { + "guid": "ce1759c3-763b-4985-9e19-3e93e2ba1e48", + "name": "exception_C-0006_kube-proxy_6fae630529c963388185b63159bdf066", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-18T09:11:43.430672", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "9328669b-9e9e-4d1e-9cd8-d9de56412be7", + "name": "exception_C-0006_aws-node_047c8cb579dfdd90c70528f323f8584e", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-18T09:11:44.165541", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "Primary-cluster", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Allowed hostPath" + } + ] + }, + { + "guid": "5f15a52f-fef9-4756-bba0-7e9f85b1e651", + "name": "exception_C-0073_kube-system_4c6a309604a6c625193a5fd548cc49ea", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-20T11:59:39.458290", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-16512", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Naked PODs" + } + ] + }, + { + "guid": "5075d9a3-6bf3-4212-ac9f-6c83e2936be3", + "name": "exception_C-0046_aws-node_3d6da83ccd2e25f34985f08be41ded0c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-29T18:57:33.070123", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Insecure capabilities" + } + ] + }, + { + "guid": "0023aa4b-3b8e-49d3-94f8-7593be21c73e", + "name": "exception_C-0038_kube-prometheus-stack-prometheus-node-exporter_81393a7fe7baeeac34abc93e853fad3e", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-09-29T18:57:43.456229", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "namespace": "prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Host PID/IPC privileges" + } + ] + }, + { + "guid": "a1252ba4-294e-49fc-bfca-49ae6ff44107", + "name": "exception_C-0057_aws-node_1cd21efe5728587cc91f9e835136d8be", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-03T11:12:44.031008", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "ac351a9c-3625-4f06-b39a-024520088f9f", + "name": "exception_C-0057_kube-proxy_4bc29d871b5856ac37cdb43a2a00525e", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-03T11:12:45.162207", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "4e8ec9d0-460c-4514-bbb0-c2f8a9e50f26", + "name": "exception_C-0041_aws-node_9a3e5718dce9d7606b26f2dd52b09cea", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:32:47.782121", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "HostNetwork access" + } + ] + }, + { + "guid": "be21ee58-7419-4aff-8620-000a4da3c54e", + "name": "exception_C-0041_kube-proxy_e68d5843c022c90cf556872cc26e634a", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:32:48.421384", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "HostNetwork access" + } + ] + }, + { + "guid": "b3d60827-c6b1-407f-8338-ed460aa28afd", + "name": "exception_C-0041_kube-prometheus-stack-prometheus-node-exporter_416cb98527326169243ea69869809b98", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:32:49.058142", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "namespace": "monitoring" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "HostNetwork access" + } + ] + }, + { + "guid": "91aae229-8e24-48c6-866b-71c8ade68159", + "name": "exception_C-0050_aws-node_52bd07eef426a6ee5ea10ea049747efc", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:51:45.646349", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "c59fea46-a212-463c-8671-7e80480a51a6", + "name": "exception_C-0050_metrics-server_0cbe88fe25c5c16d9764951dd0447418", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:51:46.081452", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "e8ac11c1-1922-4ec2-871e-efb420eb99f0", + "name": "exception_C-0050_kube-proxy_e4dbc42793ab512c9022b02fa7011c5c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:51:46.860734", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "2d31dc0d-7a80-48be-9aa7-1435d05ff3fc", + "name": "exception_C-0050_coredns_25d830bcbda3d972957c313e49a3f329", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-06T09:51:47.654525", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "af48b363-2252-4056-9fe2-854a927259cf", + "name": "exception_C-0035_system:masters_243a2d4068907fd5fd0ec6aea10b79bf", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-11T11:00:53.076780", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Group", + "name": "system:masters", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "0a8686a2-76ee-4995-98bd-9b8bfd7f278d", + "name": "exception_C-0035_default_02abe71ba39ff839eacd9f0a43ecb54d", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-11T11:00:53.853118", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "8f4e10fa-8c29-470c-b34c-77b3a8e8256c", + "name": "exception_C-0054_kube-system_1a94d2e865752a8ca59d82ed62082e88", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-19T14:06:16.415872", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Namespace", + "name": "kube-system", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Cluster internal networking" + } + ] + }, + { + "guid": "bd51c656-782c-4bdd-92a2-4bfe104ae6fb", + "name": "exception_C-0049_kube-system_261ecaffc99cdc4f94103d835ed9174d", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-19T14:06:17.366959", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Namespace", + "name": "kube-system", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Network mapping" + } + ] + }, + { + "guid": "28dec253-278b-4a73-8490-35485ec6d906", + "name": "exception_C-0050_etcd-demo-bh_f352acadce97c414273f3715e78c4bfa", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T12:36:12.782310", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "etcd-demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "be06dd65-e531-4a8a-9004-ab56f9f12263", + "name": "exception_C-0050_kube-apiserver-demo-bh_6c1535d442003e0b7665e4ccbd67d4b3", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:04.963787", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "kube-apiserver-demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "2e914849-79bf-4cfb-93f0-fc678df1d516", + "name": "exception_C-0050_storage-provisioner_b6b0b426e0ce9faca6666b8aa8c0e3c9", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:05.641587", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "storage-provisioner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "704092ad-2a2a-4b07-97bc-84fa49edb512", + "name": "exception_C-0050_kube-proxy_5abb363884a42c6274232fec1a301471", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:06.788811", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "661d6055-5004-48a1-9d44-95dc6dc21fe8", + "name": "exception_C-0050_kube-controller-manager-demo-bh_6873c21c6b3722d210c4fff2fea50062", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:07.369834", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "kube-controller-manager-demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "6c407d16-d05e-448d-8812-67b4faa22582", + "name": "exception_C-0050_kube-scheduler-demo-bh_0bdfc67ad2a41d71638333fa0d76e00d", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:08.794583", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "kube-scheduler-demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "acdedac2-0b8c-413c-b996-ad91feecbf33", + "name": "exception_C-0050_coredns_5a8f9097a58ac9976f1c4f7fbbe64034", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-23T13:24:09.355402", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "c303eacd-1328-486d-86c8-092a36089199", + "name": "exception_C-0045_loki_ad17e9b3dc9797afaa2fecb6631a5653", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-26T10:26:41.196253", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "loki" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Writable hostPath mount" + } + ] + }, + { + "guid": "b54b6c78-760a-47d8-91af-5cc7088f9830", + "name": "exception_C-0045_kube-system_458aaa02254433d60a1180f590dcc53d", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-26T10:26:49.698696", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Writable hostPath mount" + } + ] + }, + { + "guid": "a9216fc1-79c4-4a89-8396-fe447f69ea43", + "name": "exception_C-0083_nginx-ingress-controller-65c8bc5f9d-jjp8m_99401229d18c71b7bf4a182abdfa1e95", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-26T19:29:49.233020", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Pod", + "name": "nginx-ingress-controller-65c8bc5f9d-jjp8m", + "namespace": "ingress-nginx" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Workloads with Critical vulnerabilities exposed to external traffic" + } + ] + }, + { + "guid": "ec4cfae3-06bc-4b0e-b363-4064582e0c28", + "name": "exception_C-0004_operator_252ce8a392ea35abdca571176966985b", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-27T12:02:30.238849", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "be98e915-2c57-493e-b1e6-062356aa5272", + "name": "exception_C-0053_statefulset-controller_1ae515ab36805d87f5296ddda1b0540a", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-27T12:04:40.089037", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "ServiceAccount", + "name": "statefulset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Access container service account" + } + ] + }, + { + "guid": "b19432ea-5d79-4641-8ed2-2a9cdd072c49", + "name": "exception_C-0034_resourcequota-controller_c9f30acf860f3bc1335d65aedae43375", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-27T12:04:48.229002", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "ServiceAccount", + "name": "resourcequota-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Automatic mapping of service account" + } + ] + }, + { + "guid": "5af86103-ab8c-46b3-8e09-3808a956fc40", + "name": "exception_C-0053_coredns_39549fdd7d5f8bd817150a343dc3b81e", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-27T12:04:56.473818", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "ServiceAccount", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Access container service account" + } + ] + }, + { + "guid": "bf0ec632-0613-4e33-a328-558e57fda577", + "name": "exception_C-0053_horizontal-pod-autoscaler_a89e5ca54a05c42b980935e588bc234c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-27T12:05:07.629503", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "ServiceAccount", + "name": "horizontal-pod-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Access container service account" + } + ] + }, + { + "guid": "d01f9295-31c5-4d05-84d2-a26c0375a35c", + "name": "exception_C-0057_kube-proxy_b72474a1e3c1e671d789ca961ae6b9b9", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-28T07:05:14.091676", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "36a1b5f5-798f-45be-8f16-3070cf824481", + "name": "exception_C-0045_kube-proxy_417c2eb0df7b519d63b9c60519d3e258", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-28T14:22:57.906117", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Writable hostPath mount" + } + ] + }, + { + "guid": "09b7963a-f3d4-4fc6-9ee7-c8999af13bea", + "name": "exception_C-0012_portal-mongodb-arbiter_c8401e0244e4809b996db5e8469a4d93", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-28T17:04:26.446843", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "StatefulSet", + "name": "portal-mongodb-arbiter", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "9557e556-c140-46d3-8ac3-e5575e250529", + "name": "exception_C-0063_kube-system_db2e45583f9d7a359f412b2e74f35af9", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-30T15:19:13.490294", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Portforwarding privileges" + } + ] + }, + { + "guid": "4cf04291-90d6-4517-a954-5285c262cb60", + "name": "exception_C-0057_kube-proxy_8477dbd66f8a4b16f8e90f0905b26127", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-30T15:42:34.541644", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "MITRE", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "ed46d826-9422-4258-af35-69b7f8e3c5e9", + "name": "exception_C-0045_kube-controller-manager-demo-bh_1ba0ccf01b913d4b2c797bf81195ed7c", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-10-30T16:02:43.497374", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Pod", + "name": "kube-controller-manager-demo-bh", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "MITRE", + "controlName": "Writable hostPath mount" + } + ] + }, + { + "guid": "cb179378-0bdb-4523-86b2-427487e95220", + "name": "exception_C-0013_grafana_5a13c1f8e256ce641b8ccd026c3c9691", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-02T11:18:49.653221", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "kind": "Deployment", + "name": "grafana", + "namespace": "grafana" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "ArmoBest", + "controlName": "Non-root containers" + } + ] + }, + { + "guid": "8a7e6261-1564-425c-b1e1-0c14510d938d", + "name": "exception_CIS-5.1.5_loki_6dafba2a6737cefb4dfc4d92937e8367", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-10T14:10:07.094200", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "loki" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "CIS", + "controlName": "Ensure that default service accounts are not actively used" + } + ] + }, + { + "": "d06ecb92-095a-462f-9f72-5783c4c1d91e", + "name": "exception_C-0050_jenkins_a419a83cc0d170338e27ba0e7ff10db7", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-16T12:31:14.142732", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "StatefulSet", + "name": "jenkins", + "namespace": "jenkins" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "": "4adf8a28-a110-49d9-8693-b38ebe841ade", + "name": "exception_C-0004_cert-manager-cainjector_14879aa519572a7d6047f0f7bc7de8e6", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-16T14:35:56.863494", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "Deployment", + "name": "cert-manager-cainjector", + "namespace": "cert-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "e1568574-5c23-401c-9323-19bab18c5d14", + "name": "exception_C-0004_cert-manager-webhook_d4055dfd8c45fd595e249dca2b2d4461", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-16T14:36:47.846066", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "Deployment", + "name": "cert-manager-webhook", + "namespace": "cert-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "470fbc81-d8a1-41a9-a13c-c40a1bf376da", + "name": "exception_C-0012_cluster-info_abb6f1fac466035a69365b579e67833a", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-20T08:34:28.710559", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "kind": "ConfigMap", + "name": "cluster-info", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "e848e573-d964-4116-81f7-e844a9a23062", + "name": "exception_C-0012_kube-public_e7e62e035e34d0eee9c1cf14197b178c", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-20T08:34:29.844687", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "cluster-30080", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "35858724-0009-411b-a2f9-57e1e1005f62", + "name": "exception_C-0057_efs-csi-node_968f897a21a468adfe88cfc846a32d37", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-11-20T13:28:23.596744", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "DaemonSet", + "name": "efs-csi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "a90faf35-fe78-411f-9c71-9e4261c04534", + "name": "exception_C-0059_nginx-ingress-controller_0b6b936a699a7af8e651810a8c66ce84", + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC1010109", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "nginx-ingress-controller", + "namespace": "ingress-nginx" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability" + } + ] + }, + { + "guid": "76432f6c-5009-40ac-b09c-3c7840dd4102", + "name": "exception_C-0059_ingress-nginx_e903a1ca7f91122df96fe3e8a54b2684", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC1010109", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "namespace": "ingress-nginx" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability" + } + ] + }, + { + "guid": "a403916a-6cc4-4af7-9f01-c4d8f2b8556a", + "name": "exception_C-0045_promtail_ce299ac7185fe8ecb8439b4e764536d4", + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC3339", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "promtail", + "namespace": "logging" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Writable hostPath mount" + } + ] + }, + { + "guid": "5894051e-9df1-4535-8510-df73ab8e9c87", + "name": "exception_C-0004_grafana_e514ad9f85ff5c097635f20c5fa0e247", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC3339", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "demo-bh", + "namespace": "grafana" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "05be1f9a-30f9-41c2-8a36-31389845a6ed", + "name": "exception_C-0050_efs-csi-node_5ebc53112052e44a670ab310141c7f33", + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC6669", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "DaemonSet", + "name": "efs-csi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "3d5bb67a-dc78-4a10-b413-7e937260b049", + "name": "exception_C-0004_elasticsearch-snapshot_b2bd1e9d7505a7e98fec9e027bb430a0", + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC3339", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "CronJob", + "name": "elasticsearch-snapshot", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "37e93b7e-2585-4ce0-b7e4-89d55dd69f0e", + "name": "exception_C-0057_kube-system_7cd72a593445b62c0e8ec1fea9666a98", + "attributes": { + "namespaceOnly": "true" + }, + "policyType": "postureExceptionPolicy", + "creationTime": "time.RFC1010109", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "eb81f0e5-52ae-408d-bcbc-165d951ab149", + "name": "exception_C-0004_cert-manager_5e2a716ba6df16a43aa10cf9d01271e5", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-12-19T12:47:26Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-rnd-jenkins-0", + "kind": "Deployment", + "name": "cert-manager", + "namespace": "cert-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "a2e55dfa-d272-4b87-a9da-96699cc90395", + "name": "exception_C-0057_ama-logs_24603be5888738f906e56fc0d3f1c7ff", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-12-20T15:32:09Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "test-cluster", + "kind": "DaemonSet", + "name": "ama-logs", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "e64699ad-4b96-446d-a160-594da48cde1a", + "name": "exception_C-0057_ama-logs-rs_bf412e7594850a24ce0493ca6b2e86d4", + "policyType": "postureExceptionPolicy", + "creationTime": "2022-12-20T15:32:15Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "test-cluster", + "kind": "Deployment", + "name": "ama-logs-rs", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Privileged container" + } + ] + }, + { + "guid": "f1815f20-a6ac-49f7-9370-67167d70ee22", + "name": "exception_C-0048_ca-signing-service_e018c3e48d54f554a6425856c1999bce", + "updatedTime": "2023-01-05T14:19:02Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-05T14:19:02Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-signing-service", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "HostPath mount" + } + ] + }, + { + "guid": "f21c2b16-e266-4d2d-83ad-a4b3f4d81589", + "name": "exception_C-0034_ca-event-receiver_6ea9a08d6c34531ab63e0ddf3d272387", + "updatedTime": "2023-01-05T14:21:25Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-05T14:21:25Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-event-receiver", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Automatic mapping of service account" + } + ] + }, + { + "guid": "04aeaa34-659f-46f4-ad94-5196ce57a442", + "name": "exception_C-0012_groundcover-promscale_1c76b9c76feb9b55cf88fcbd0aa50bec", + "updatedTime": "2023-01-24T09:14:27Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T09:14:27Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "kind": "Deployment", + "name": "groundcover-promscale", + "namespace": "groundcover" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "f682fe50-976d-47e9-a321-f353c525835c", + "name": "exception_C-0012_groundcover_7bbf9e504042cd1c045358c732dea82e", + "attributes": { + "namespaceOnly": "true" + }, + "updatedTime": "2023-01-24T09:14:34Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T09:14:34Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "namespace": "groundcover" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "f4a3082b-42bb-4087-8b28-1ea9981f5e2c", + "name": "exception_C-0050_keycloak-mysql_ecae62bae8ed5b92321c0a6d5ce76123", + "updatedTime": "2023-01-24T13:53:37Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T13:53:37Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "StatefulSet", + "name": "keycloak-mysql", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "87db8181-72a8-402b-85d7-9d0c02fd4f3b", + "name": "exception_C-0050_poolmgr-python-function-env-default-270589416-6bdb5bb855-zt77g_bc26b92d8a1c8a7847b81285c997fdf4", + "updatedTime": "2023-01-24T14:29:16Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-24T14:29:16Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Pod", + "name": "poolmgr-python-function-env-default-270589416-6bdb5bb855-zt77g", + "namespace": "fission-function" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "dcbf2fe0-de4c-4cc2-9117-b93094b8307c", + "name": "exception_C-0004_ca-kubescape-config-service_5ea385430844e27b130c484b127b6e8e", + "updatedTime": "2023-01-25T09:35:20Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T09:35:20Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-kubescape-config-service", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "b8d8c84c-aeaf-4b0a-b67b-a12bc395c0fc", + "name": "exception_C-0004_ca-event-receiver_7e0081afbbf6679874813089be704d58", + "updatedTime": "2023-01-25T09:35:22Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T09:35:22Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-event-receiver", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "49ee2314-a9b1-4096-9fe7-f2527fab2e64", + "name": "exception_C-0004_mysql-snapshot-cronjob-prod_b7aecf43b7c8970945a5cae1b0926919", + "updatedTime": "2023-01-25T09:35:23Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T09:35:23Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "CronJob", + "name": "mysql-snapshot-cronjob-prod", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "24604429-bab7-4a42-990c-8f3d04de3aa7", + "name": "exception_C-0065_velero-server_role_c3d78bc916b88113c68063e635cf265a", + "updatedTime": "2023-01-25T11:52:24Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T11:52:24Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "ClusterRoleBinding", + "name": "velero-server", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "No impersonation" + } + ] + }, + { + "guid": "7163b286-f06e-41b7-817a-e0c6bc0d6bc4", + "name": "exception_C-0004_portal-mongodb-client-snapshot-prod_5da173904108b6eebe8ced9df61236ec", + "updatedTime": "2023-01-25T13:10:56Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T13:10:56Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "CronJob", + "name": "portal-mongodb-client-snapshot-prod", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "cd370365-1eaf-4958-bb53-2e182ba582ba", + "name": "exception_C-0004_elasticsearch-task-puller-cronjob_cd81472155fdd8fc1982022bc35f4c50", + "updatedTime": "2023-01-25T13:33:28Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T13:33:28Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "CronJob", + "name": "elasticsearch-task-puller-cronjob", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "46d81945-6b0a-4f59-b280-aae91f706542", + "name": "exception_C-0004_ca-signing-service_b38e090c2c51380d01abcbd18f9cdec7", + "updatedTime": "2023-01-25T13:33:30Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-25T13:33:30Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Deployment", + "name": "ca-signing-service", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources memory limit and request" + } + ] + }, + { + "guid": "891be26f-4e42-47a0-bd46-2831ad3e8456", + "name": "exception_C-0065_velero-server_31403029a5f130d93c136b4745cfcac6", + "updatedTime": "2023-01-26T11:16:32Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-26T11:16:32Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "ServiceAccount", + "name": "velero-server", + "namespace": "velero" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "No impersonation" + } + ] + }, + { + "guid": "03485120-3b6f-4b2b-bb30-0981a86f053f", + "name": "exception_C-0065_arn:aws:iam::057134155174:user/bhirschb_f0d0450f6c678524d8cfc449435efc54", + "updatedTime": "2023-01-26T11:18:01Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-26T11:18:01Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "User", + "name": "arn:aws:iam::057134155174:user/bhirschb", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "No impersonation" + } + ] + }, + { + "guid": "c87d1374-2c9e-44a2-a773-949a71dc5eda", + "name": "exception_C-0050_elasticsearch-snapshot_1a6445d4d42fa79bc4e6aef8380c9b87", + "updatedTime": "2023-01-26T12:18:03Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-01-26T12:18:03Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "CronJob", + "name": "elasticsearch-snapshot", + "namespace": "ca-production" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "57455f22-9965-47bb-8ad4-688bbc8a6966", + "name": "exception_C-0015_fission-fetcher_role_4e918f1952dce856c87000922911341f", + "updatedTime": "2023-02-05T16:11:46Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-05T16:11:46Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "Role", + "name": "fission-fetcher", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "List Kubernetes secrets" + } + ] + }, + { + "guid": "31b34bab-b814-47b4-b33b-0e3f6aeea744", + "name": "exception_C-0050_golang-inf_9029ceb5a82ff5ab0f6e04445bfddd11", + "updatedTime": "2023-02-07T14:51:43Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-07T14:51:43Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "Deployment", + "name": "golang-inf", + "namespace": "armo-playground" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "cf103189-7ed0-431e-b4e7-81624cdbc984", + "name": "exception_C-0050_portal-mongodb_02370bca198009694d44a304687c0932", + "updatedTime": "2023-02-07T14:51:45Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-07T14:51:45Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "StatefulSet", + "name": "portal-mongodb", + "namespace": "ca-development" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "57f249ba-1b83-4b96-838f-9bba6b79d0d4", + "name": "exception_C-0050_portal-mongodb-client-dev_0193ef334f7f35a8b8216acbc2bfff70", + "updatedTime": "2023-02-07T14:51:46Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-07T14:51:46Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "Pod", + "name": "portal-mongodb-client-dev", + "namespace": "ca-development" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Resources CPU limit and request" + } + ] + }, + { + "guid": "418823c8-fb04-4708-9ae5-1995e7028bae", + "name": "exception_C-0059_nginx-ingress-controller_b88084caf16aca7623fb65344ff1904c", + "updatedTime": "2023-02-08T16:41:42Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-08T16:41:42Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "Deployment", + "name": "nginx-ingress-controller", + "namespace": "ingress-nginx" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability" + } + ] + }, + { + "guid": "5fe4cc41-e361-4b21-88c6-716d8bf9ed20", + "name": "exception_C-0035_ca-controller-service-account_role_0804143f4597d6b58e64b43429fd1fda", + "updatedTime": "2023-02-15T09:17:55Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-15T09:17:55Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "gke_elated-pottery-310110_us-central1-c_cluster-mock", + "kind": "ClusterRole", + "name": "ca-controller-roles", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "5b55d56c-0bf7-47e1-9ad7-557cd0133432", + "name": "exception_C-0035_velero-server_role_0e4ffbc3a130e656a1af4379649ae7be", + "updatedTime": "2023-02-22T12:25:19Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-22T12:25:19Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "ClusterRole", + "name": "cluster-admin", + "namespace": "" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Cluster-admin binding" + } + ] + }, + { + "guid": "683a1c2b-e7ee-4198-a2ae-70ebb6dbc118", + "name": "exception_C-0012_portal-mongodb-client-snapshot-dev_640b2993899cc62d57231c4060ff91a7", + "updatedTime": "2023-02-23T23:57:50Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-23T23:57:50Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "Pod", + "name": "portal-mongodb-client-snapshot-dev", + "namespace": "ca-development" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "0f2df8ab-c1e6-406a-b352-3f37d624b88a", + "name": "exception_C-0012_portal-mongodb-client-dev_cf4977ea493cbd1bccc478fe1367ca4e", + "updatedTime": "2023-02-23T23:57:51Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-23T23:57:51Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-west-1-015253967648-cluster-ca-terraform-eks-dev-stage", + "kind": "Pod", + "name": "portal-mongodb-client-dev", + "namespace": "ca-development" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "controlName": "Applications credentials in configuration files" + } + ] + }, + { + "guid": "f2d260f6-bc2e-43ad-bf1c-04681e12529d", + "name": "exception_C-0038_kube-prometheus-stack-prometheus-node-exporter_4394c9159b74f9f147309b0726706750", + "updatedTime": "2023-02-28T16:07:44Z", + "policyType": "postureExceptionPolicy", + "creationTime": "2023-02-28T16:07:44Z", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "cluster": "arn-aws-eks-eu-north-1-057134155174-cluster-ca-terraform-eks-prod", + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "namespace": "monitoring" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "AllControls", + "controlName": "Host PID/IPC privileges" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "coredns-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "etcd-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "storage-provisioner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-scheduler-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-controller-manager-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-public-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-minikube-kube-node-lease-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "certificate-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "bootstrap-signer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "clusterrole-aggregation-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "root-ca-cert-publisher", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pvc-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "statefulset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-account-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "horizontal-pod-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "expand-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replicaset-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "replication-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "resourcequota-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpoint-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslice-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "endpointslicemirroring-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ephemeral-volume-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-21", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pv-protection-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-23", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "job-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "daemon-set-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-25", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "deployment-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "generic-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-27", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "persistent-volume-binder", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-28", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "storage-provisioner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "token-cleaner", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "namespace-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-32", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cronjob-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "attachdetach-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "service-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-35", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "disruption-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-36", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pod-garbage-collector", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-37", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ttl-after-finished-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "User", + "name": "system:kube-scheduler" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "User", + "name": "system:kube-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "apiVersion": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-security-context", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-deployment-allowed-registry", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-prometheus-deployment-ingress-and-egress", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape-prometheus" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "aws-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "metrics-server-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "metrics-server-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "aws-cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "aws-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "eks-admin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "eks-vpc-resource-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "tagging-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "vpc-resource-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:fargate-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-21", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:addon-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:certificate-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-23", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "eks:node-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-eks-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-aks-kube-system-deployments-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "omsagent-rs", + "namespace": "kube-system" + } + } + ], + "posturePolicies": null + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "azure-ip-masq-agent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "cloud-node-manager-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "coredns-autoscaler--[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "csi-azuredisk-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "csi-azurefile-node-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "konnectivity-agent-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "omsagent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-pods-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "omsagent-rs-[A-Za-z0-9]+-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-services-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-services-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Service", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "azure-ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "cloud-node-manager", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "cloud-node-manager-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azuredisk-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azuredisk-node-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azurefile-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "csi-azurefile-node-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "kube-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "omsagent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-daemonsets-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "omsagent-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-autoscaler-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "coredns-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "konnectivity-agent-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "metrics-server-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-replicasets-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ReplicaSet", + "name": "omsagent-rs-[A-Za-z0-9]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-namespaces-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "azure-cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cloud-node-manager", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "csi-azuredisk-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "csi-azurefile-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metrics-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "omsagent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-45", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-46", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-node-lease" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-47", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-public" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-48", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "azure-ip-masq-agent-config-reconciled", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-49", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "cluster-autoscaler-status", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-50", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "container-azm-ms-aks-k8scluster", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-51", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-52", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-53", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "coredns-custom", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-54", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "extension-apiserver-authentication", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-55", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-56", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "omsagent-rs-config", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-57", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "overlay-upgrade-data", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-58", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "aks-webhook-admission-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-59", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "aks-node-mutating-webhook" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-60", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "aks-node-validating-webhook" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-61", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:masters" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-62", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Group", + "name": "system:nodes" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-63", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "clusterAdmin" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-64", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kube-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-aks-kube-system-sa-65", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kube-scheduler" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kubescape", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-default-namespace-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-pod-kube-apiserver", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-apiserver-.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0013" + }, + { + "frameworkName": "", + "controlID": "c-0077" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "c-0013 " + }, + { + "frameworkName": "", + "controlID": "c-0020" + }, + { + "frameworkName": "", + "controlID": "c-0030" + }, + { + "frameworkName": "", + "controlID": "c-0034" + }, + { + "frameworkName": "", + "controlID": "c-0016" + }, + { + "frameworkName": "", + "controlID": "c-0004" + }, + { + "frameworkName": "", + "controlID": "c-0050" + }, + { + "frameworkName": "", + "controlID": "c-0009" + }, + { + "frameworkName": "", + "controlID": "c-0048" + }, + { + "frameworkName": "", + "controlID": "c-0041" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-security-context-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0055" + }, + { + "frameworkName": "", + "controlID": "c-0017" + }, + { + "frameworkName": "", + "controlID": "C-0210" + }, + { + "frameworkName": "", + "controlID": "C-0211" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-allowed-registry-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0001" + }, + { + "frameworkName": "", + "controlID": "c-0078" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "operator", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "gateway", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubevuln", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-deployment-ingress-and-egress-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "kollector", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "c-0030" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Pod", + "name": "kube-proxy-[A-Za-z0-9-]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "metadata-proxy-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "node-local-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metrics-agent.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "anetd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "netd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-big", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-small", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke-max", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentbit-gke.*", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nccl-fastsocket-installer", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "filestore-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "pdcsi-node", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-17", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-18", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "anetd-win", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-19", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metadata-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-20", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "gke-metrics-agent-windows", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-22", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "nvidia-gpu-device-plugin", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-24", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-25", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "egress-nat-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-26", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "event-exporter-gke", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-27", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "antrea-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-28", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "antrea-controller-horizontal-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-29", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-30", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "metrics-server-v[0-9.]+", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-31", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-32", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "fluentd-elasticsearch", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-33", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "konnectivity-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-gke-kube-system-resources-34", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "l7-default-backend", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "", + "controlID": "C-.*" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-38", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "konnectivity-agent-cpha", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-49", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cloud-provider", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-71", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-78", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "kube-dns-autoscaler", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-79", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "netd", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-80", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "metadata-proxy", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-81", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-82", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "cilium", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-83", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "node-local-dns", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-84", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "gke-metrics-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-85", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "egress-nat-controller", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-86", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-87", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "event-exporter-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-88", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "antrea-cpha", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-89", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "fluentbit-gke", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-90", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "pdcsi-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-91", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "ip-masq-agent", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-92", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "filestorecsi-node-sa", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-service-accounts-93", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ServiceAccount", + "name": "gke-metadata-server", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-users-and-groups-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:vpa-recommender", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kube-system-users-and-groups-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:anet-operator", + "namespace": "kube-system" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:clustermetrics" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:controller:glbc" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:l7-lb-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:managed-certificate-controller" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:gke-common-webhooks" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:gcp-controller-manager" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:resource-tracker" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:storageversionmigrator" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-users-and-groups-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "User", + "name": "system:kubestore-collector" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-1", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "ca-validate-cfg" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-2", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "flowcontrol-guardrails.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-3", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "validation-webhook.snapshot.storage.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-4", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "nodelimit.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "gkepolicy.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-6", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ValidatingWebhookConfiguration", + "name": "validation-webhook.snapshot.storage.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-7", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "APIService", + "name": "v1beta1.metrics.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-8", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "pod-ready.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-9", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "ca-mutate-cfg" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-10", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "neg-annotation.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-11", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "mutate-scheduler-profile.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-12", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "sasecret-redacter.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-13", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "workload-defaulter.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-14", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "admissionwebhookcontroller.config.common-webhooks.networking.gke.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-15", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "gke-vpa-webhook-config" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-system-resources-16", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "MutatingWebhookConfiguration", + "name": "filestorecsi-mutation-webhook.storage.k8s.io" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-host-scanner-resources", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "host-scanner", + "namespace": "kubescape-host-scanner" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "OmitRawResources": false +} \ No newline at end of file