mirror of
https://github.com/kubescape/kubescape.git
synced 2026-02-14 18:09:55 +00:00
1540 lines
65 KiB
HTML
1540 lines
65 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en-US">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<title>Kubescape Scan Report</title>
|
|
</head>
|
|
<style>
|
|
:root {
|
|
--cell-padding-vertical: 0.25em;
|
|
--cell-padding-horizontal: 0.25em;
|
|
--font-family-sans: system-ui, -apple-system, sans-serif;
|
|
}
|
|
body {
|
|
max-width: 60em;
|
|
margin: auto;
|
|
font-family: var(--font-family-sans);
|
|
}
|
|
table {
|
|
width: 100%;
|
|
border-top: 0.1em solid black;
|
|
border-bottom: 0.1em solid black;
|
|
border-collapse: collapse;
|
|
table-layout: fixed;
|
|
}
|
|
th {
|
|
text-align: left;
|
|
}
|
|
td, th {
|
|
padding-top: var(--cell-padding-vertical);
|
|
padding-bottom: var(--cell-padding-vertical);
|
|
padding-right: var(--cell-padding-horizontal);
|
|
vertical-align: top;
|
|
}
|
|
td > p {
|
|
margin: 0;
|
|
word-break: break-all;
|
|
hyphens: auto;
|
|
}
|
|
thead {
|
|
border-bottom: 0.01em solid black;
|
|
}
|
|
.numericCell {
|
|
text-align: right;
|
|
}
|
|
.controlSeverityCell {
|
|
width: 10%;
|
|
}
|
|
.controlNameCell {
|
|
width: 50%;
|
|
}
|
|
.controlRiskCell {
|
|
width: 10%;
|
|
}
|
|
.resourceSeverityCell {
|
|
width: 10%;
|
|
}
|
|
.resourceNameCell {
|
|
width: 30%;
|
|
}
|
|
.resourceURLCell {
|
|
width: 10%;
|
|
}
|
|
.resourceRemediationCell {
|
|
width: 50%;
|
|
}
|
|
.logo {
|
|
width: 25%;
|
|
float: right;
|
|
}
|
|
</style>
|
|
<body>
|
|
<img class="logo" src="https://raw.githubusercontent.com/kubescape/kubescape/master/core/pkg/resultshandling/printer/v2/pdf/logo.png">
|
|
<h1>Kubescape Scan Report</h1>
|
|
|
|
</br>
|
|
<h2>Summary</h2>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>All</th>
|
|
<th>Failed</th>
|
|
<th>Skipped</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>65</td>
|
|
<td>23</td>
|
|
<td>10</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</br>
|
|
<h2>Details</h2>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="controlSeverityCell">Severity</th>
|
|
<th class="controlNameCell">Control Name</th>
|
|
<th class="controlRiskCell">Failed Resources</th>
|
|
<th class="controlRiskCell">All Resources</th>
|
|
<th class="controlRiskCell">Risk Score, %</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Critical</td>
|
|
<td class="controlNameCell">API server insecure port is enabled</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Critical</td>
|
|
<td class="controlNameCell">CVE-2022-39328-grafana-auth-bypass</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Critical</td>
|
|
<td class="controlNameCell">Disable anonymous access to Kubelet service</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Critical</td>
|
|
<td class="controlNameCell">Enforce Kubelet client TLS authentication</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Applications credentials in configuration files</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">43</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">CVE-2022-23648-containerd-fs-escape</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">CVE-2022-47633-kyverno-signature-bypass</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Forbidden Container Registries</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Host PID/IPC privileges</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">HostNetwork access</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">HostPath mount</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Insecure capabilities</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Instance Metadata API</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">List Kubernetes secrets</td>
|
|
<td class="controlRiskCell numericCell">3</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">4</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Privileged container</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">RBAC enabled</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Resource limits</td>
|
|
<td class="controlRiskCell numericCell">7</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">44</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Resources CPU limit and request</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Resources memory limit and request</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Workloads with Critical vulnerabilities exposed to external traffic</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Workloads with RCE vulnerabilities exposed to external traffic</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">High</td>
|
|
<td class="controlNameCell">Writable hostPath mount</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Access container service account</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">46</td>
|
|
<td class="controlRiskCell numericCell">2</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Allow privilege escalation</td>
|
|
<td class="controlRiskCell numericCell">4</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">30</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Audit logs enabled</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">100</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Automatic mapping of service account</td>
|
|
<td class="controlRiskCell numericCell">4</td>
|
|
<td class="controlRiskCell numericCell">62</td>
|
|
<td class="controlRiskCell numericCell">10</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">CVE-2021-25741 - Using symlink for arbitrary host file system access.</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">CVE-2022-0185-linux-kernel-container-escape</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">CVE-2022-24348-argocddirtraversal</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Cluster internal networking</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">5</td>
|
|
<td class="controlRiskCell numericCell">20</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Cluster-admin binding</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Configured liveness probe</td>
|
|
<td class="controlRiskCell numericCell">7</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">44</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Container hostPort</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Containers mounting Docker socket</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">CoreDNS poisoning</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Data Destruction</td>
|
|
<td class="controlRiskCell numericCell">2</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">3</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Delete Kubernetes events</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Exec into container</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Exposed sensitive interfaces</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Images from allowed registry</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Ingress and Egress blocked</td>
|
|
<td class="controlRiskCell numericCell">7</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">44</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Linux hardening</td>
|
|
<td class="controlRiskCell numericCell">7</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">44</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Malicious admission controller (mutating)</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Mount service principal</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">No impersonation</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Non-root containers</td>
|
|
<td class="controlRiskCell numericCell">4</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">30</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Portforwarding privileges</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">74</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Secret/ETCD encryption enabled</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">100</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Sudo in container entrypoint</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Medium</td>
|
|
<td class="controlNameCell">Workloads with excessive amount of vulnerabilities</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Access Kubernetes dashboard</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">93</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Configured readiness probe</td>
|
|
<td class="controlRiskCell numericCell">7</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">44</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Image pull policy on latest tag</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Immutable container filesystem</td>
|
|
<td class="controlRiskCell numericCell">4</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">30</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">K8s common labels usage</td>
|
|
<td class="controlRiskCell numericCell">5</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">34</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Kubernetes CronJob</td>
|
|
<td class="controlRiskCell numericCell">5</td>
|
|
<td class="controlRiskCell numericCell">5</td>
|
|
<td class="controlRiskCell numericCell">100</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Label usage for resources</td>
|
|
<td class="controlRiskCell numericCell">3</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">14</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Malicious admission controller (validating)</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Naked PODs</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">31</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Network mapping</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">5</td>
|
|
<td class="controlRiskCell numericCell">20</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">PSP enabled</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">100</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">Pods in default namespace</td>
|
|
<td class="controlRiskCell numericCell">2</td>
|
|
<td class="controlRiskCell numericCell">19</td>
|
|
<td class="controlRiskCell numericCell">20</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="controlSeverityCell">Low</td>
|
|
<td class="controlNameCell">SSH server running inside container</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
<td class="controlRiskCell numericCell">1</td>
|
|
<td class="controlRiskCell numericCell">0</td>
|
|
</tr>
|
|
</tr>
|
|
|
|
<tbody>
|
|
</table>
|
|
|
|
</br>
|
|
<h2>Failed Resources</h2>
|
|
</br>
|
|
|
|
|
|
<h3>Name: kubescape</h3>
|
|
<p>ApiVersion: v1</p>
|
|
<p>Kind: Namespace</p>
|
|
<p>Name: kubescape</p>
|
|
<p>Namespace: </p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Network mapping</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0049/">C-0049</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Cluster internal networking</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0054/">C-0054</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: nginx-1</h3>
|
|
<p>ApiVersion: apps/v1</p>
|
|
<p>Kind: Deployment</p>
|
|
<p>Name: nginx-1</p>
|
|
<p>Namespace: default</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Allow privilege escalation</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0016/">C-0016</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Non-root containers</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0013/">C-0013</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Automatic mapping of service account</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0034/">C-0034</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">K8s common labels usage</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0077/">C-0077</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Pods in default namespace</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0061/">C-0061</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Immutable container filesystem</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0017/">C-0017</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubescape-sneeffer-service-account</h3>
|
|
<p>ApiVersion: </p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: kubescape-sneeffer-service-account</p>
|
|
<p>Namespace: default</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Access container service account</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0053/">C-0053</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubescape-sneeffer-service-account</h3>
|
|
<p>ApiVersion: v1</p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: kubescape-sneeffer-service-account</p>
|
|
<p>Namespace: default</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Automatic mapping of service account</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0034/">C-0034</a></td>
|
|
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: nginx</h3>
|
|
<p>ApiVersion: apps/v1</p>
|
|
<p>Kind: Deployment</p>
|
|
<p>Name: nginx</p>
|
|
<p>Namespace: default</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Allow privilege escalation</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0016/">C-0016</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Non-root containers</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0013/">C-0013</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Automatic mapping of service account</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0034/">C-0034</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">K8s common labels usage</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0077/">C-0077</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Pods in default namespace</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0061/">C-0061</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Immutable container filesystem</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0017/">C-0017</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kube-apiserver-dwertent</h3>
|
|
<p>ApiVersion: v1</p>
|
|
<p>Kind: Pod</p>
|
|
<p>Name: kube-apiserver-dwertent</p>
|
|
<p>Namespace: kube-system</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Audit logs enabled</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0067/">C-0067</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.containers[0].command</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">PSP enabled</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0068/">C-0068</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Secret/ETCD encryption enabled</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0066/">C-0066</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.containers[0].command</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubescape-sa</h3>
|
|
<p>ApiVersion: </p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: kubescape-sa</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Data Destruction</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0007/">C-0007</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[1]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[1].rules[1].apiGroups[1]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">List Kubernetes secrets</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0015/">C-0015</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].verbs[3]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: default</h3>
|
|
<p>ApiVersion: v1</p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: default</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Automatic mapping of service account</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0034/">C-0034</a></td>
|
|
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubescape-registry-scan-1809488850697420828</h3>
|
|
<p>ApiVersion: batch/v1</p>
|
|
<p>Kind: CronJob</p>
|
|
<p>Name: kubescape-registry-scan-1809488850697420828</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Kubernetes CronJob</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0026/">C-0026</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Label usage for resources</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0076/">C-0076</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">K8s common labels usage</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0077/">C-0077</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubescape-scheduler</h3>
|
|
<p>ApiVersion: batch/v1</p>
|
|
<p>Kind: CronJob</p>
|
|
<p>Name: kubescape-scheduler</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Allow privilege escalation</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0016/">C-0016</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Kubernetes CronJob</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0026/">C-0026</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Non-root containers</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0013/">C-0013</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Immutable container filesystem</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0017/">C-0017</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: ks-sa</h3>
|
|
<p>ApiVersion: </p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: ks-sa</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Data Destruction</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0007/">C-0007</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[2].resources[1]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">CoreDNS poisoning</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0037/">C-0037</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[2].resources[0]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">List Kubernetes secrets</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0015/">C-0015</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[2].resources[1]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: ks-scheduled-scan-armobest-1968464821027741247</h3>
|
|
<p>ApiVersion: batch/v1</p>
|
|
<p>Kind: CronJob</p>
|
|
<p>Name: ks-scheduled-scan-armobest-1968464821027741247</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Kubernetes CronJob</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0026/">C-0026</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Label usage for resources</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0076/">C-0076</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">K8s common labels usage</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0077/">C-0077</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: ks-scheduled-scan-cis-v1-23-t1-0-1-70343785476262573</h3>
|
|
<p>ApiVersion: batch/v1</p>
|
|
<p>Kind: CronJob</p>
|
|
<p>Name: ks-scheduled-scan-cis-v1-23-t1-0-1-70343785476262573</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Kubernetes CronJob</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0026/">C-0026</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Label usage for resources</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0076/">C-0076</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">K8s common labels usage</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0077/">C-0077</a></td>
|
|
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: ks-sa</h3>
|
|
<p>ApiVersion: </p>
|
|
<p>Kind: ServiceAccount</p>
|
|
<p>Name: ks-sa</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">List Kubernetes secrets</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0015/">C-0015</a></td>
|
|
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].verbs[2]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<h3>Name: kubevuln-scheduler</h3>
|
|
<p>ApiVersion: batch/v1</p>
|
|
<p>Kind: CronJob</p>
|
|
<p>Name: kubevuln-scheduler</p>
|
|
<p>Namespace: kubescape</p>
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th class="resourceSeverityCell">Severity</th>
|
|
<th class="resourceNameCell">Name</th>
|
|
<th class="resourceURLCell">Docs</th>
|
|
<th class="resourceRemediationCell">Assisted Remediation</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Allow privilege escalation</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0016/">C-0016</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Ingress and Egress blocked</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0030/">C-0030</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">High</td>
|
|
<td class="resourceNameCell">Resource limits</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0009/">C-0009</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Configured readiness probe</td>
|
|
<td class="resourceURLCell"><a href=" https://kubescape.io/docs/controls/c-0018/">C-0018</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Kubernetes CronJob</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0026/">C-0026</a></td>
|
|
<td class="resourceRemediationCell"></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Non-root containers</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0013/">C-0013</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Linux hardening</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0055/">C-0055</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Medium</td>
|
|
<td class="resourceNameCell">Configured liveness probe</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0056/">C-0056</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="resourceSeverityCell">Low</td>
|
|
<td class="resourceNameCell">Immutable container filesystem</td>
|
|
<td class="resourceURLCell"><a href="https://kubescape.io/docs/controls/c-0017/">C-0017</a></td>
|
|
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
</body>
|
|
</html>
|