diff --git a/docs/content/en/integrations/parsers/file/kubescape.md b/docs/content/en/integrations/parsers/file/kubescape.md new file mode 100644 index 00000000000..ba32f1dc10b --- /dev/null +++ b/docs/content/en/integrations/parsers/file/kubescape.md @@ -0,0 +1,11 @@ +--- +title: "Kubescape Scanner" +toc_hide: true +--- +Kubescape is a K8s open-source tool providing a Kubernetes single pane of glass, including risk analysis, security compliance, RBAC visualizer, and image vulnerability scanning. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CKĀ®), software vulnerabilities, and RBAC (role-based-access-control) violations at early stages of the CI/CD pipeline, calculates risk score instantly and shows risk trends over time. + +Sample File +it support json and junit xml format file + +### Sample Scan Data +Sample Kubescape scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/kubescape). \ No newline at end of file diff --git a/dojo/tools/kubescape/__init__.py b/dojo/tools/kubescape/__init__.py new file mode 100644 index 00000000000..3ad798a42b3 --- /dev/null +++ b/dojo/tools/kubescape/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel-sommer" diff --git a/dojo/tools/kubescape/parser.py b/dojo/tools/kubescape/parser.py new file mode 100644 index 00000000000..8e4669a93b6 --- /dev/null +++ b/dojo/tools/kubescape/parser.py @@ -0,0 +1,33 @@ +import json +from dojo.models import Endpoint, Finding + + +class KubescapeParser(object): + def get_scan_types(self): + return ["Kubescape JSON Importer"] + + def get_label_for_scan_types(self, scan_type): + return scan_type # no custom label for now + + def get_description_for_scan_types(self, scan_type): + return "Import result of Kubescape JSON output." + + def get_findings(self, filename, test): + findings = [] + try: + data = json.load(filename) + except ValueError: + data = {} + i=0 + for resource in data["resources"]: + resourceid = resource["resourceID"] + results = ([each for each in data["results"] if each.get('resourceID') == resourceid]) + """TODO, PARSE THE RIGHT VALUES INTO THE FINDING""" + i+=1 + find = Finding(title="title"+str(i), + test=test, + description="message", + severity="High", + static_finding=False) + findings.append(find) + return findings diff --git a/unittests/scans/kubescape/many_findings.json b/unittests/scans/kubescape/many_findings.json new file mode 100644 index 00000000000..9e14172b497 --- /dev/null +++ b/unittests/scans/kubescape/many_findings.json @@ -0,0 +1,34566 @@ +{ + "generationTime": "2022-11-02T07:55:55.697021698Z", + "metadata": { + "targetMetadata": {}, + "clusterMetadata": {}, + "scanMetadata": {} + }, + "clusterAPIServerInfo": null, + "customerGUID": "", + "clusterName": "", + "clusterCloudProvider": "", + "reportGUID": "", + "jobID": "", + "resources": [ + { + "resourceID": "path=1881121400/api=apps/v1//Deployment/paymentservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "paymentservice" + }, + "sourcePath": "examples/online-boutique/paymentservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "paymentservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "paymentservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "paymentservice", + "ports": [ + { + "containerPort": 50051 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:50051" + ] + } + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:50051" + ] + } + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/paymentservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=2686782197/api=apps/v1//Deployment/recommendationservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "recommendationservice" + }, + "sourcePath": "examples/online-boutique/recommendationservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "recommendationservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "recommendationservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "recommendationservice", + "ports": [ + { + "containerPort": 8080 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + }, + { + "name": "PRODUCT_CATALOG_SERVICE_ADDR", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "450Mi" + }, + "requests": { + "cpu": "100m", + "memory": "220Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:8080" + ] + }, + "periodSeconds": 5 + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:8080" + ] + }, + "periodSeconds": 5 + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/recommendationservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "kubescape-discovery-role-binding" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "kubescape-discovery-clusterroles" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "kubescape-discovery-clusterroles" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml" + } + ] + } + }, + { + "resourceID": "//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "RoleBinding", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "-kubescape" + }, + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml" + } + ] + } + }, + { + "resourceID": "path=1161725811/api=apps/v1//Deployment/adservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "adservice" + }, + "sourcePath": "examples/online-boutique/adservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "adservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "adservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "adservice", + "ports": [ + { + "containerPort": 9555 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "300m", + "memory": "300Mi" + }, + "requests": { + "cpu": "200m", + "memory": "180Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:9555" + ] + }, + "initialDelaySeconds": 20, + "periodSeconds": 15 + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:9555" + ] + }, + "initialDelaySeconds": 20, + "periodSeconds": 15 + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/adservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=3591976602/api=apps/v1/kubescape/Deployment/kubescape", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "kubescape" + } + }, + "template": { + "metadata": { + "labels": { + "app": "kubescape" + } + }, + "spec": { + "containers": [ + { + "name": "kubescape", + "image": "quay.io/kubescape/kubescape:latest", + "command": [ + "ksserver" + ], + "ports": [ + { + "name": "http", + "containerPort": 8080, + "protocol": "TCP" + } + ], + "env": [ + { + "name": "KS_DEFAULT_CONFIGMAP_NAMESPACE", + "value": "XXXXXX", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "KS_SKIP_UPDATE_CHECK", + "value": "XXXXXX" + }, + { + "name": "KS_ENABLE_HOST_SCANNER", + "value": "XXXXXX" + }, + { + "name": "KS_DOWNLOAD_ARTIFACTS", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "500Mi" + }, + "requests": { + "cpu": "10m", + "memory": "100Mi" + } + }, + "livenessProbe": { + "httpGet": { + "path": "/livez", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3 + }, + "readinessProbe": { + "httpGet": { + "path": "/readyz", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3 + }, + "imagePullPolicy": "Always" + } + ], + "serviceAccountName": "kubescape-discovery" + } + } + } + }, + "source": { + "relativePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=2924266659/api=apps/v1//Deployment/frontend", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "frontend" + }, + "sourcePath": "examples/online-boutique/frontend.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "frontend" + } + }, + "template": { + "metadata": { + "annotations": { + "sidecar.istio.io/rewriteAppHTTPProbers": "true" + }, + "labels": { + "app": "frontend" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "frontend", + "ports": [ + { + "containerPort": 8080 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + }, + { + "name": "PRODUCT_CATALOG_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "CURRENCY_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "CART_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "RECOMMENDATION_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "SHIPPING_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "CHECKOUT_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "AD_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "ENV_PLATFORM", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "httpGet": { + "path": "/_healthz", + "port": 8080, + "httpHeaders": [ + { + "name": "Cookie", + "value": "shop_session-id=x-liveness-probe" + } + ] + }, + "initialDelaySeconds": 10 + }, + "readinessProbe": { + "httpGet": { + "path": "/_healthz", + "port": 8080, + "httpHeaders": [ + { + "name": "Cookie", + "value": "shop_session-id=x-readiness-probe" + } + ] + }, + "initialDelaySeconds": 10 + } + } + ], + "serviceAccountName": "default" + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/frontend.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=1644445903/api=apps/v1/kubescape/Deployment/kubescape", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml", + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "kubescape" + } + }, + "template": { + "metadata": { + "labels": { + "app": "kubescape" + } + }, + "spec": { + "containers": [ + { + "name": "kubescape", + "image": "quay.io/kubescape/kubescape:latest", + "command": [ + "ksserver" + ], + "ports": [ + { + "name": "http", + "containerPort": 8080, + "protocol": "TCP" + } + ], + "env": [ + { + "name": "KS_DEFAULT_CONFIGMAP_NAMESPACE", + "value": "XXXXXX", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "KS_SKIP_UPDATE_CHECK", + "value": "XXXXXX" + }, + { + "name": "KS_ENABLE_HOST_SCANNER", + "value": "XXXXXX" + }, + { + "name": "KS_DOWNLOAD_ARTIFACTS", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "500Mi" + }, + "requests": { + "cpu": "10m", + "memory": "100Mi" + } + }, + "livenessProbe": { + "httpGet": { + "path": "/livez", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3 + }, + "readinessProbe": { + "httpGet": { + "path": "/readyz", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3 + }, + "imagePullPolicy": "Always" + } + ], + "serviceAccountName": "kubescape-discovery" + } + } + } + }, + "source": { + "relativePath": "httphandler/examples/microservice/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery", + "object": { + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape-discovery", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml" + }, + "source": { + "relativePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=3919891740/api=/v1//ServiceAccount/kubescape-discovery", + "object": { + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "kubescape-discovery" + }, + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/serviceaccount.yaml" + }, + "source": { + "relativePath": "examples/helm_chart/templates/serviceaccount.yaml", + "fileType": "Helm Chart", + "helmChartName": "kubescape", + "lastCommit": { + "hash": "57160c4d0498c93bdba6e25b3f8cae8158cb5674", + "date": "2021-11-07T21:17:45+02:00", + "committerName": "Yonah Dissen", + "committerEmail": "ydissen@vmware.com", + "message": "add helm chart to deploy kubescape in cluster\n" + } + } + }, + { + "resourceID": "path=423865324/api=/v1//Service/productcatalogservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "productcatalogservice" + }, + "sourcePath": "examples/online-boutique/productcatalogservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 3550, + "targetPort": 3550 + } + ], + "selector": { + "app": "productcatalogservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/productcatalogservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=4115069426/api=/v1//Service/emailservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "emailservice" + }, + "sourcePath": "examples/online-boutique/emailservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 5000, + "targetPort": 8080 + } + ], + "selector": { + "app": "emailservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/emailservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape", + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "RoleBinding", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "-kubescape" + }, + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "" + } + ] + }, + "source": { + "relativePath": "examples/helm_chart/templates/rolebinding.yaml", + "fileType": "Helm Chart", + "helmChartName": "kubescape", + "lastCommit": { + "hash": "57160c4d0498c93bdba6e25b3f8cae8158cb5674", + "date": "2021-11-07T21:17:45+02:00", + "committerName": "Yonah Dissen", + "committerEmail": "ydissen@vmware.com", + "message": "add helm chart to deploy kubescape in cluster\n" + } + } + }, + { + "resourceID": "path=4285981016/api=/v1//Service/cartservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "cartservice" + }, + "sourcePath": "examples/online-boutique/cartservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 7070, + "targetPort": 7070 + } + ], + "selector": { + "app": "cartservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/cartservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=1966984206/api=apps/v1//Deployment/redis-cart", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "redis-cart" + }, + "sourcePath": "examples/online-boutique/redis.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "redis-cart" + } + }, + "template": { + "metadata": { + "labels": { + "app": "redis-cart" + } + }, + "spec": { + "containers": [ + { + "name": "redis", + "image": "redis:alpine", + "ports": [ + { + "containerPort": 6379 + } + ], + "resources": { + "limits": { + "cpu": "125m", + "memory": "256Mi" + }, + "requests": { + "cpu": "70m", + "memory": "200Mi" + } + }, + "volumeMounts": [ + { + "name": "redis-data", + "mountPath": "/data" + } + ], + "livenessProbe": { + "tcpSocket": { + "port": 6379 + }, + "periodSeconds": 5 + }, + "readinessProbe": { + "tcpSocket": { + "port": 6379 + }, + "periodSeconds": 5 + } + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "redis-data" + } + ] + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/redis.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=4285981016/api=apps/v1//Deployment/cartservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "cartservice" + }, + "sourcePath": "examples/online-boutique/cartservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "cartservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "cartservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "cartservice", + "ports": [ + { + "containerPort": 7070 + } + ], + "env": [ + { + "name": "REDIS_ADDR", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "300m", + "memory": "128Mi" + }, + "requests": { + "cpu": "200m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:7070", + "-rpc-timeout=5s" + ] + }, + "initialDelaySeconds": 15, + "periodSeconds": 10 + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:7070", + "-rpc-timeout=5s" + ] + }, + "initialDelaySeconds": 15 + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/cartservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner", + "object": { + "apiVersion": "apps/v1", + "kind": "DaemonSet", + "metadata": { + "labels": { + "app": "host-scanner", + "k8s-app": "kubescape-host-scanner" + }, + "name": "host-scanner", + "namespace": "kubescape-host-scanner" + }, + "sourcePath": "core/pkg/hostsensorutils/hostsensor.yaml", + "spec": { + "selector": { + "matchLabels": { + "name": "host-scanner" + } + }, + "template": { + "metadata": { + "labels": { + "name": "host-scanner" + } + }, + "spec": { + "automountServiceAccountToken": false, + "containers": [ + { + "name": "host-sensor", + "image": "quay.io/kubescape/host-scanner:v1.0.32", + "ports": [ + { + "name": "scanner", + "hostPort": 7888, + "containerPort": 7888, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100u", + "memory": "200Mi" + }, + "requests": { + "cpu": "1m", + "memory": "200Mi" + } + }, + "volumeMounts": [ + { + "name": "host-filesystem", + "mountPath": "/host_fs" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/kernelVersion", + "port": 7888 + } + }, + "securityContext": { + "privileged": true, + "readOnlyRootFilesystem": true, + "procMount": "Unmasked" + } + } + ], + "dnsPolicy": "ClusterFirstWithHostNet", + "hostIPC": true, + "hostNetwork": true, + "hostPID": true, + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/", + "type": "Directory" + }, + "name": "host-filesystem" + } + ] + } + } + } + }, + "source": { + "relativePath": "core/pkg/hostsensorutils/hostsensor.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "dc2c6f8a215e297bf65501000243cb172e1a5563", + "date": "2022-10-26T11:40:28+03:00", + "committerName": "YiscahLevySilas1", + "committerEmail": "80635572+YiscahLevySilas1@users.noreply.github.com", + "message": "update hostsensor version" + } + } + }, + { + "resourceID": "//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "-kubescape" + }, + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/clusterrolebinding.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml" + } + ] + } + }, + { + "resourceID": "path=2451423745/api=/v1//Service/currencyservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "currencyservice" + }, + "sourcePath": "examples/online-boutique/currencyservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 7000, + "targetPort": 7000 + } + ], + "selector": { + "app": "currencyservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/currencyservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "/kubescape/Deployment/kubescape", + "object": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape", + "relatedObjects": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "spec": { + "ports": [ + { + "name": "http", + "port": 8080, + "protocol": "TCP", + "targetPort": 8080 + } + ], + "selector": { + "app": "kubescape" + }, + "type": "ClusterIP" + } + } + } + }, + { + "resourceID": "path=3591976602/api=/v1/kubescape/Service/kubescape", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "spec": { + "ports": [ + { + "name": "http", + "port": 8080, + "protocol": "TCP", + "targetPort": 8080 + } + ], + "selector": { + "app": "kubescape" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=3015304832/api=/v1//Service/shippingservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "shippingservice" + }, + "sourcePath": "examples/online-boutique/shippingservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 50051, + "targetPort": 50051 + } + ], + "selector": { + "app": "shippingservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/shippingservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=1161725811/api=/v1//Service/adservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "adservice" + }, + "sourcePath": "examples/online-boutique/adservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 9555, + "targetPort": 9555 + } + ], + "selector": { + "app": "adservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/adservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=3015304832/api=apps/v1//Deployment/shippingservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "shippingservice" + }, + "sourcePath": "examples/online-boutique/shippingservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "shippingservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "shippingservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "shippingservice", + "ports": [ + { + "containerPort": 50051 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:50051" + ] + } + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:50051" + ] + }, + "periodSeconds": 5 + } + } + ], + "serviceAccountName": "default" + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/shippingservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=1644445903/api=/v1/kubescape/Service/kubescape", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml", + "spec": { + "ports": [ + { + "name": "http", + "port": 8080, + "protocol": "TCP", + "targetPort": 8080 + } + ], + "selector": { + "app": "kubescape" + }, + "type": "NodePort" + } + }, + "source": { + "relativePath": "httphandler/examples/microservice/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=1881121400/api=/v1//Service/paymentservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "paymentservice" + }, + "sourcePath": "examples/online-boutique/paymentservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 50051, + "targetPort": 50051 + } + ], + "selector": { + "app": "paymentservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/paymentservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape", + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "Role", + "metadata": { + "labels": { + "app.kubernetes.io/instance": null, + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kubescape", + "app.kubernetes.io/version": "v1.0.128", + "helm.sh/chart": "kubescape-1.0.0" + }, + "name": "-kubescape" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "/tmp/3387783067/examples/helm_chart/templates/role.yaml" + }, + "source": { + "relativePath": "examples/helm_chart/templates/role.yaml", + "fileType": "Helm Chart", + "helmChartName": "kubescape", + "lastCommit": { + "hash": "57160c4d0498c93bdba6e25b3f8cae8158cb5674", + "date": "2021-11-07T21:17:45+02:00", + "committerName": "Yonah Dissen", + "committerEmail": "ydissen@vmware.com", + "message": "add helm chart to deploy kubescape in cluster\n" + } + } + }, + { + "resourceID": "path=4115069426/api=apps/v1//Deployment/emailservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "emailservice" + }, + "sourcePath": "examples/online-boutique/emailservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "emailservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "emailservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "emailservice", + "ports": [ + { + "containerPort": 8080 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + }, + { + "name": "DISABLE_PROFILER", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:8080" + ] + }, + "periodSeconds": 5 + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:8080" + ] + }, + "periodSeconds": 5 + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/emailservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=423865324/api=apps/v1//Deployment/productcatalogservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "productcatalogservice" + }, + "sourcePath": "examples/online-boutique/productcatalogservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "productcatalogservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "productcatalogservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "productcatalogservice", + "ports": [ + { + "containerPort": 3550 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:3550" + ] + } + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:3550" + ] + } + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/productcatalogservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "kubescape-discovery-role-binding" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "kubescape-discovery-clusterroles" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "kubescape-discovery-clusterroles" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml" + } + ] + } + }, + { + "resourceID": "path=3591976602/api=/v1//Namespace/kubescape", + "object": { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml" + }, + "source": { + "relativePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=4038904612/api=apps/v1//Deployment/loadgenerator", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "loadgenerator" + }, + "sourcePath": "examples/online-boutique/loadgenerator.yaml", + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "loadgenerator" + } + }, + "template": { + "metadata": { + "annotations": { + "sidecar.istio.io/rewriteAppHTTPProbers": "true" + }, + "labels": { + "app": "loadgenerator" + } + }, + "spec": { + "containers": [ + { + "name": "main", + "image": "loadgenerator", + "env": [ + { + "name": "FRONTEND_ADDR", + "value": "XXXXXX" + }, + { + "name": "USERS", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "300m", + "memory": "256Mi" + } + } + } + ], + "restartPolicy": "Always", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/loadgenerator.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=645840794/api=apps/v1//Deployment/checkoutservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "checkoutservice" + }, + "sourcePath": "examples/online-boutique/checkoutservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "checkoutservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "checkoutservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "checkoutservice", + "ports": [ + { + "containerPort": 5050 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + }, + { + "name": "PRODUCT_CATALOG_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "SHIPPING_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "PAYMENT_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "EMAIL_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "CURRENCY_SERVICE_ADDR", + "value": "XXXXXX" + }, + { + "name": "CART_SERVICE_ADDR", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:5050" + ] + } + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:5050" + ] + } + } + } + ], + "serviceAccountName": "default" + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/checkoutservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=4203826079/api=/v1//Namespace/kubescape-host-scanner", + "object": { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "labels": { + "app": "kubescape-host-scanner", + "k8s-app": "kubescape-host-scanner", + "kubernetes.io/metadata.name": "kubescape-host-scanner", + "tier": "kubescape-host-scanner-control-plane" + }, + "name": "kubescape-host-scanner" + }, + "sourcePath": "core/pkg/hostsensorutils/hostsensor.yaml" + }, + "source": { + "relativePath": "core/pkg/hostsensorutils/hostsensor.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "dc2c6f8a215e297bf65501000243cb172e1a5563", + "date": "2022-10-26T11:40:28+03:00", + "committerName": "YiscahLevySilas1", + "committerEmail": "80635572+YiscahLevySilas1@users.noreply.github.com", + "message": "update hostsensor version" + } + } + }, + { + "resourceID": "path=645840794/api=/v1//Service/checkoutservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "checkoutservice" + }, + "sourcePath": "examples/online-boutique/checkoutservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 5050, + "targetPort": 5050 + } + ], + "selector": { + "app": "checkoutservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/checkoutservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=2924266659/api=/v1//Service/frontend-external", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "frontend-external" + }, + "sourcePath": "examples/online-boutique/frontend.yaml", + "spec": { + "ports": [ + { + "name": "http", + "port": 80, + "targetPort": 8080 + } + ], + "selector": { + "app": "frontend" + }, + "type": "LoadBalancer" + } + }, + "source": { + "relativePath": "examples/online-boutique/frontend.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=2924266659/api=/v1//Service/frontend", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "frontend" + }, + "sourcePath": "examples/online-boutique/frontend.yaml", + "spec": { + "ports": [ + { + "name": "http", + "port": 80, + "targetPort": 8080 + } + ], + "selector": { + "app": "frontend" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/frontend.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=2451423745/api=apps/v1//Deployment/currencyservice", + "object": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "currencyservice" + }, + "sourcePath": "examples/online-boutique/currencyservice.yaml", + "spec": { + "selector": { + "matchLabels": { + "app": "currencyservice" + } + }, + "template": { + "metadata": { + "labels": { + "app": "currencyservice" + } + }, + "spec": { + "containers": [ + { + "name": "server", + "image": "currencyservice", + "ports": [ + { + "name": "grpc", + "containerPort": 7000 + } + ], + "env": [ + { + "name": "PORT", + "value": "XXXXXX" + } + ], + "resources": { + "limits": { + "cpu": "200m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "livenessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:7000" + ] + } + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/grpc_health_probe", + "-addr=:7000" + ] + } + } + } + ], + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 5 + } + } + } + }, + "source": { + "relativePath": "examples/online-boutique/currencyservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "kubescape-discovery-role-binding" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "kubescape-discovery-clusterroles" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "kubescape-discovery-clusterroles" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml" + } + ] + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "object": { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape", + "relatedObjects": [ + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "kubescape-discovery-role-binding" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "kubescape-discovery-clusterroles" + }, + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml", + "subjects": [ + { + "kind": "ServiceAccount", + "name": "kubescape-discovery", + "namespace": "kubescape" + } + ] + }, + { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "kubescape-discovery-clusterroles" + }, + "rules": [ + { + "apiGroups": [ + "*" + ], + "resources": [ + "*" + ], + "verbs": [ + "get", + "list", + "describe" + ] + } + ], + "sourcePath": "httphandler/examples/prometheus/ks-deployment.yaml" + } + ] + } + }, + { + "resourceID": "path=1966984206/api=/v1//Service/redis-cart", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "redis-cart" + }, + "sourcePath": "examples/online-boutique/redis.yaml", + "spec": { + "ports": [ + { + "name": "redis", + "port": 6379, + "targetPort": 6379 + } + ], + "selector": { + "app": "redis-cart" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/redis.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + }, + { + "resourceID": "path=1644445903/api=/v1//Namespace/kubescape", + "object": { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml" + }, + "source": { + "relativePath": "httphandler/examples/microservice/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery", + "object": { + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "labels": { + "app": "kubescape" + }, + "name": "kubescape-discovery", + "namespace": "kubescape" + }, + "sourcePath": "httphandler/examples/microservice/ks-deployment.yaml" + }, + "source": { + "relativePath": "httphandler/examples/microservice/ks-deployment.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb", + "date": "2022-08-23T12:33:48+03:00", + "committerName": "David Wertenteil", + "committerEmail": "dwertent@armosec.io", + "message": "replace armo by kubescape mentioned in urls\n" + } + } + }, + { + "resourceID": "path=2686782197/api=/v1//Service/recommendationservice", + "object": { + "apiVersion": "v1", + "kind": "Service", + "metadata": { + "name": "recommendationservice" + }, + "sourcePath": "examples/online-boutique/recommendationservice.yaml", + "spec": { + "ports": [ + { + "name": "grpc", + "port": 8080, + "targetPort": 8080 + } + ], + "selector": { + "app": "recommendationservice" + }, + "type": "ClusterIP" + } + }, + "source": { + "relativePath": "examples/online-boutique/recommendationservice.yaml", + "fileType": "YAML", + "lastCommit": { + "hash": "96148ac6fd37d8d03572ad8c9bb5e60a4663c52a", + "date": "2021-08-26T17:41:11+03:00", + "committerName": "dwertent", + "committerEmail": "dwertent@cyberarmor.io", + "message": "support yaml input\n" + } + } + } + ], + "attributes": null, + "results": [ + { + "resourceID": "path=1881121400/api=apps/v1//Deployment/paymentservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=1881121400/api=apps/v1//Deployment/paymentservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=2686782197/api=apps/v1//Deployment/recommendationservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=2686782197/api=apps/v1//Deployment/recommendationservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0053", + "name": "Access container service account", + "rules": [ + { + "name": "access-container-service-account-v1", + "status": "failed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "rules": [ + { + "name": "cluster-admin-role", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=1161725811/api=apps/v1//Deployment/adservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=1161725811/api=apps/v1//Deployment/adservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=3591976602/api=apps/v1/kubescape/Deployment/kubescape", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "passed", + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=2924266659/api=apps/v1//Deployment/frontend", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=2924266659/api=apps/v1//Deployment/frontend", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=1644445903/api=apps/v1/kubescape/Deployment/kubescape", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "passed", + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.automountServiceAccountToken", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ], + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-5", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "kubescape", + "namespace": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=3919891740/api=/v1//ServiceAccount/kubescape-discovery", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=423865324/api=/v1//Service/productcatalogservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=4115069426/api=/v1//Service/emailservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=4285981016/api=/v1//Service/cartservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=1966984206/api=apps/v1//Deployment/redis-cart", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=1966984206/api=apps/v1//Deployment/redis-cart", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=4285981016/api=apps/v1//Deployment/cartservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=4285981016/api=apps/v1//Deployment/cartservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].volumeMounts[0].readOnly", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.hostIPC", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "spec.template.spec.hostPID", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].livenessProbe", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].securityContext.privileged", + "fixPath": { + "path": "", + "value": "" + } + } + ] + }, + { + "name": "immutable-container-filesystem", + "status": "passed" + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.hostNetwork", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "passed" + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].ports[0].hostPort", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "passed" + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].volumeMounts[0].readOnly", + "value": "true" + } + } + ] + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 231.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0057", + "category": "Privilege escalation", + "tags": [ + "security" + ] + } + ], + "score": 308, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0038", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 269.5, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 154, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 231.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 132, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0057", + "category": "Privilege escalation", + "tags": [ + "security" + ] + } + ], + "score": 176, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0038", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 154, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 88, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 132, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0057", + "category": "Privilege escalation", + "tags": [ + "security" + ] + } + ], + "score": 220.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0038", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 192.50000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Discovery", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 269.5, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Discovery", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 154, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Discovery", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 192.50000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Lateral movement", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 269.5, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Lateral movement", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 154, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0041", + "category": "Lateral movement", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 192.50000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0006", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 231.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 308, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0006", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 132, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 176, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0006", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Impact - Data access in container", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 220.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0001", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Persistence", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 308, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0044", + "category": "Initial access", + "tags": [ + "security", + "compliance", + "devops" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Persistence", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 176, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0045", + "category": "Persistence", + "tags": [ + "security", + "compliance", + "devops", + "security-impact" + ] + } + ], + "score": 220.00000000000003, + "severity": 3 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0041", + "category": "Impact - service access", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 7.700000000000001, + "severity": 3 + } + ], + "score": 5903.7, + "severity": 3 + } + }, + { + "resourceID": "//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "rules": [ + { + "name": "cluster-admin-role", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=2451423745/api=/v1//Service/currencyservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "/kubescape/Deployment/kubescape", + "controls": [ + { + "controlID": "C-0042", + "name": "SSH server running inside container", + "rules": [ + { + "name": "rule-can-ssh-to-pod-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=3591976602/api=/v1/kubescape/Service/kubescape", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=3015304832/api=/v1//Service/shippingservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=1161725811/api=/v1//Service/adservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=3015304832/api=apps/v1//Deployment/shippingservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=3015304832/api=apps/v1//Deployment/shippingservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=1644445903/api=/v1/kubescape/Service/kubescape", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=1881121400/api=/v1//Service/paymentservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=4115069426/api=apps/v1//Deployment/emailservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=4115069426/api=apps/v1//Deployment/emailservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=423865324/api=apps/v1//Deployment/productcatalogservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=423865324/api=apps/v1//Deployment/productcatalogservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0053", + "name": "Access container service account", + "rules": [ + { + "name": "access-container-service-account-v1", + "status": "failed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "rules": [ + { + "name": "cluster-admin-role", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=3591976602/api=/v1//Namespace/kubescape", + "controls": [ + { + "controlID": "CIS-5.2.12", + "name": "Minimize the admission of HostPath volumes", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0060", + "name": "Namespace without service accounts", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.2.5", + "name": "Minimize the admission of containers wishing to share the host network namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.2", + "name": "Minimize the admission of privileged containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.13", + "name": "Minimize the admission of containers which use HostPorts", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.7", + "name": "Minimize the admission of root containers", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.11", + "name": "Minimize the admission of Windows HostProcess Containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.3.2", + "name": "Ensure that all Namespaces have Network Policies defined", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.5", + "name": "Ensure that default service accounts are not actively used", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.2.9", + "name": "Minimize the admission of containers with added capabilities", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.10", + "name": "Minimize the admission of containers with capabilities assigned", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.6", + "name": "Minimize the admission of containers with allowPrivilegeEscalation", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.1", + "name": "Create administrative boundaries between resources using namespaces", + "rules": [ + { + "name": "list-all-namespaces", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.8", + "name": "Minimize the admission of containers with the NET_RAW capability", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.4", + "name": "Minimize the admission of containers wishing to share the host IPC namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0049", + "name": "Network mapping", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.3", + "name": "Minimize the admission of containers wishing to share the host process ID namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.1", + "name": "Ensure that the cluster has at least one active policy control mechanism in place", + "rules": [ + { + "name": "pod-security-admission-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=4038904612/api=apps/v1//Deployment/loadgenerator", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].livenessProbe", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].readinessProbe", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=4038904612/api=apps/v1//Deployment/loadgenerator", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=645840794/api=apps/v1//Deployment/checkoutservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=645840794/api=apps/v1//Deployment/checkoutservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "path=4203826079/api=/v1//Namespace/kubescape-host-scanner", + "controls": [ + { + "controlID": "CIS-5.2.12", + "name": "Minimize the admission of HostPath volumes", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "C-0060", + "name": "Namespace without service accounts", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.5", + "name": "Minimize the admission of containers wishing to share the host network namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "rules": [ + { + "name": "internal-networking", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.2", + "name": "Minimize the admission of privileged containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.13", + "name": "Minimize the admission of containers which use HostPorts", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.7", + "name": "Minimize the admission of root containers", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.11", + "name": "Minimize the admission of Windows HostProcess Containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.3.2", + "name": "Ensure that all Namespaces have Network Policies defined", + "rules": [ + { + "name": "internal-networking", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.1.5", + "name": "Ensure that default service accounts are not actively used", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.9", + "name": "Minimize the admission of containers with added capabilities", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.10", + "name": "Minimize the admission of containers with capabilities assigned", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.6", + "name": "Minimize the admission of containers with allowPrivilegeEscalation", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.7.1", + "name": "Create administrative boundaries between resources using namespaces", + "rules": [ + { + "name": "list-all-namespaces", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.8", + "name": "Minimize the admission of containers with the NET_RAW capability", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.4", + "name": "Minimize the admission of containers wishing to share the host IPC namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "C-0049", + "name": "Network mapping", + "rules": [ + { + "name": "internal-networking", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.3", + "name": "Minimize the admission of containers wishing to share the host process ID namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed" + } + ] + }, + { + "controlID": "CIS-5.2.1", + "name": "Ensure that the cluster has at least one active policy control mechanism in place", + "rules": [ + { + "name": "pod-security-admission-applied", + "status": "failed" + } + ] + } + ] + }, + { + "resourceID": "path=645840794/api=/v1//Service/checkoutservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=2924266659/api=/v1//Service/frontend-external", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=2924266659/api=/v1//Service/frontend", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=2451423745/api=apps/v1//Deployment/currencyservice", + "controls": [ + { + "controlID": "C-0017", + "name": "Immutable container filesystem", + "rules": [ + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "rules": [ + { + "name": "set-seccomp-profile-RuntimeDefault", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile.type", + "value": "RuntimeDefault" + } + } + ] + } + ] + }, + { + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "rules": [ + { + "name": "resources-cpu-limit-and-request", + "status": "passed", + "controlConfigurations": { + "cpu_limit_max": [], + "cpu_limit_min": [], + "cpu_request_max": [], + "cpu_request_min": [] + } + } + ] + }, + { + "controlID": "C-0006", + "name": "Allowed hostPath", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0078", + "name": "Images from allowed registry", + "rules": [ + { + "name": "container-image-repository", + "status": "failed", + "paths": [ + { + "failedPath": "spec.template.spec.containers[0].image", + "fixPath": { + "path": "", + "value": "" + } + } + ], + "controlConfigurations": { + "imageRepositoryAllowList": [ + "ecr.*amazonaws.com", + ".*.gcr.io", + ".*azurecr.io" + ] + } + } + ] + }, + { + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "rules": [ + { + "name": "host-pid-ipc-privileges", + "status": "passed" + } + ] + }, + { + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "rules": [ + { + "name": "rule-identify-blocklisted-image-registries", + "status": "passed", + "controlConfigurations": { + "publicRegistries": [ + "quay.io", + "registry.hub.docker.com" + ], + "untrustedRegistries": [] + } + } + ] + }, + { + "controlID": "C-0004", + "name": "Resources memory limit and request", + "rules": [ + { + "name": "resources-memory-limit-and-request", + "status": "passed", + "controlConfigurations": { + "memory_limit_max": [], + "memory_limit_min": [], + "memory_request_max": [], + "memory_request_min": [] + } + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-wl-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0076", + "name": "Label usage for resources", + "rules": [ + { + "name": "label-usage-for-resources", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "recommendedLabels": [ + "app", + "tier", + "phase", + "version", + "owner", + "env" + ] + } + } + ] + }, + { + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "rules": [ + { + "name": "rule-secrets-in-env-var", + "status": "passed" + } + ] + }, + { + "controlID": "C-0048", + "name": "HostPath mount", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0016", + "name": "Allow privilege escalation", + "rules": [ + { + "name": "rule-allow-privilege-escalation", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0046", + "name": "Insecure capabilities", + "rules": [ + { + "name": "insecure-capabilities", + "status": "passed", + "controlConfigurations": { + "insecureCapabilities": [ + "SETPCAP", + "NET_ADMIN", + "NET_RAW", + "SYS_MODULE", + "SYS_RAWIO", + "SYS_PTRACE", + "SYS_ADMIN", + "SYS_BOOT", + "MAC_OVERRIDE", + "MAC_ADMIN", + "PERFMON", + "ALL", + "BPF" + ] + } + } + ] + }, + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "rules": [ + { + "name": "rule-credentials-in-env-var", + "status": "passed", + "controlConfigurations": { + "sensitiveKeyNames": [ + "aws_access_key_id", + "aws_secret_access_key", + "azure_batchai_storage_account", + "azure_batchai_storage_key", + "azure_batch_account", + "azure_batch_key", + "secret", + "key", + "password", + "pwd", + "token", + "jwt", + "bearer", + "credential" + ], + "sensitiveValuesAllowed": [] + } + } + ] + }, + { + "controlID": "C-0020", + "name": "Mount service principal", + "rules": [ + { + "name": "alert-any-hostpath", + "status": "passed" + } + ] + }, + { + "controlID": "C-0056", + "name": "Configured liveness probe", + "rules": [ + { + "name": "configured-liveness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "C-0057", + "name": "Privileged container", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + } + ] + }, + { + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "rules": [ + { + "name": "image-pull-policy-is-not-set-to-always", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "rules": [ + { + "name": "rule-privilege-escalation", + "status": "passed" + }, + { + "name": "immutable-container-filesystem", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem", + "value": "true" + } + } + ] + }, + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + }, + { + "name": "drop-capability-netraw", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.capabilities.drop", + "value": "NET_RAW" + } + } + ] + }, + { + "name": "set-seLinuxOptions", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seLinuxOptions", + "value": "YOUR_VALUE" + } + } + ] + }, + { + "name": "set-seccomp-profile", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.seccompProfile", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0077", + "name": "K8s common labels usage", + "rules": [ + { + "name": "K8s common labels usage", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.labels", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.metadata.labels", + "value": "YOUR_VALUE" + } + } + ], + "controlConfigurations": { + "k8sRecommendedLabels": [ + "app.kubernetes.io/name", + "app.kubernetes.io/instance", + "app.kubernetes.io/version", + "app.kubernetes.io/component", + "app.kubernetes.io/part-of", + "app.kubernetes.io/managed-by", + "app.kubernetes.io/created-by" + ] + } + } + ] + }, + { + "controlID": "C-0041", + "name": "HostNetwork access", + "rules": [ + { + "name": "host-network-access", + "status": "passed" + } + ] + }, + { + "controlID": "C-0018", + "name": "Configured readiness probe", + "rules": [ + { + "name": "configured-readiness-probe", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "C-0013", + "name": "Non-root containers", + "rules": [ + { + "name": "non-root-containers", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "rules": [ + { + "name": "sudo-in-container-entrypoint", + "status": "passed" + } + ] + }, + { + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "rules": [ + { + "name": "containers-mounting-docker-socket", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0061", + "name": "Pods in default namespace", + "rules": [ + { + "name": "pods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + }, + { + "controlID": "C-0044", + "name": "Container hostPort", + "rules": [ + { + "name": "container-hostPort", + "status": "passed" + } + ] + }, + { + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "rules": [ + { + "name": "ingress-and-egress-blocked", + "status": "failed" + } + ] + }, + { + "controlID": "C-0055", + "name": "Linux hardening", + "rules": [ + { + "name": "linux-hardening", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.containers[0].seccompProfile", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].seLinuxOptions", + "value": "YOUR_VALUE" + } + }, + { + "fixPath": { + "path": "spec.template.spec.containers[0].capabilities.drop", + "value": "YOUR_VALUE" + } + } + ] + } + ] + }, + { + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "rules": [ + { + "name": "CVE-2022-0492", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "spec.template.spec.securityContext.runAsNonRoot", + "value": "true" + } + }, + { + "fixPath": { + "path": "spec.template.spec.securityContext.allowPrivilegeEscalation", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "C-0009", + "name": "Resource limits", + "rules": [ + { + "name": "resource-policies", + "status": "passed" + } + ] + }, + { + "controlID": "C-0045", + "name": "Writable hostPath mount", + "rules": [ + { + "name": "alert-rw-hostpath", + "status": "passed" + } + ] + } + ], + "prioritizedResource": { + "resourceID": "path=2451423745/api=apps/v1//Deployment/currencyservice", + "priorityVector": [ + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 165, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 110.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0055", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0016", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0013", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 99.00000000000001, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0086", + "category": "Privilege escalation", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 66, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0078", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 82.5, + "severity": 2 + }, + { + "attackTrackName": "container", + "type": "control", + "vector": [ + { + "controlID": "C-0078", + "category": "Initial access", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Execution", + "tags": [ + "security", + "compliance" + ] + }, + { + "controlID": "C-0017", + "category": "Persistence", + "tags": [ + "security", + "compliance" + ] + } + ], + "score": 49.50000000000001, + "severity": 2 + } + ], + "score": 1012, + "severity": 2 + } + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0053", + "name": "Access container service account", + "rules": [ + { + "name": "access-container-service-account-v1", + "status": "failed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "rules": [ + { + "name": "cluster-admin-role", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding", + "controls": [ + { + "controlID": "C-0002", + "name": "Exec into container", + "rules": [ + { + "name": "exec-into-container-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0063", + "name": "Portforwarding privileges", + "rules": [ + { + "name": "rule-can-portforward-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "rules": [ + { + "name": "rule-can-update-configmap-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "rules": [ + { + "name": "rule-access-dashboard-subject-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "rules": [ + { + "name": "rule-can-delete-k8s-events-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "rules": [ + { + "name": "rule-can-bind-escalate", + "status": "passed" + }, + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "rules": [ + { + "name": "rule-can-list-get-secrets-v1", + "status": "failed", + "paths": [ + { + "failedPath": "relatedObjects[1].rules[0].resources[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].verbs[1]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[1].rules[0].apiGroups[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].subjects[0]", + "fixPath": { + "path": "", + "value": "" + } + }, + { + "failedPath": "relatedObjects[0].roleRef.name", + "fixPath": { + "path": "", + "value": "" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "rules": [ + { + "name": "rule-can-create-pod", + "status": "passed" + } + ] + }, + { + "controlID": "C-0065", + "name": "No impersonation", + "rules": [ + { + "name": "rule-can-impersonate-users-groups-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0007", + "name": "Data Destruction", + "rules": [ + { + "name": "rule-excessive-delete-rights-v1", + "status": "passed" + } + ] + }, + { + "controlID": "C-0053", + "name": "Access container service account", + "rules": [ + { + "name": "access-container-service-account-v1", + "status": "failed" + } + ] + }, + { + "controlID": "C-0035", + "name": "Cluster-admin binding", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "rules": [ + { + "name": "cluster-admin-role", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "rules": [ + { + "name": "rule-list-all-cluster-admins-v1", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=1966984206/api=/v1//Service/redis-cart", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=1644445903/api=/v1//Namespace/kubescape", + "controls": [ + { + "controlID": "CIS-5.2.12", + "name": "Minimize the admission of HostPath volumes", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0060", + "name": "Namespace without service accounts", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.2.5", + "name": "Minimize the admission of containers wishing to share the host network namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0054", + "name": "Cluster internal networking", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.2", + "name": "Minimize the admission of privileged containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.13", + "name": "Minimize the admission of containers which use HostPorts", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.7", + "name": "Minimize the admission of root containers", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.11", + "name": "Minimize the admission of Windows HostProcess Containers", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.3.2", + "name": "Ensure that all Namespaces have Network Policies defined", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.5", + "name": "Ensure that default service accounts are not actively used", + "rules": [ + { + "name": "namespace-without-service-account", + "status": "passed" + } + ] + }, + { + "controlID": "CIS-5.2.9", + "name": "Minimize the admission of containers with added capabilities", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.10", + "name": "Minimize the admission of containers with capabilities assigned", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.6", + "name": "Minimize the admission of containers with allowPrivilegeEscalation", + "rules": [ + { + "name": "pod-security-admission-restricted-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.1", + "name": "Create administrative boundaries between resources using namespaces", + "rules": [ + { + "name": "list-all-namespaces", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.8", + "name": "Minimize the admission of containers with the NET_RAW capability", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.4", + "name": "Minimize the admission of containers wishing to share the host IPC namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "C-0049", + "name": "Network mapping", + "rules": [ + { + "name": "internal-networking", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.3", + "name": "Minimize the admission of containers wishing to share the host process ID namespace", + "rules": [ + { + "name": "pod-security-admission-baseline-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + }, + { + "controlID": "CIS-5.2.1", + "name": "Ensure that the cluster has at least one active policy control mechanism in place", + "rules": [ + { + "name": "pod-security-admission-applied", + "status": "failed", + "exception": [ + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + }, + { + "guid": "", + "name": "exclude-kubescape-resources-0", + "attributes": { + "systemException": true + }, + "policyType": "postureExceptionPolicy", + "creationTime": "", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "Namespace", + "name": "kubescape" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "" + } + ] + } + ] + } + ] + } + ] + }, + { + "resourceID": "path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery", + "controls": [ + { + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "rules": [ + { + "name": "automount-service-account", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "automountServiceAccountToken", + "value": "false" + } + } + ] + } + ] + }, + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "passed" + } + ] + } + ] + }, + { + "resourceID": "path=2686782197/api=/v1//Service/recommendationservice", + "controls": [ + { + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "rules": [ + { + "name": "resources-notpods-in-default-namespace", + "status": "failed", + "paths": [ + { + "fixPath": { + "path": "metadata.namespace", + "value": "YOUR_NAMESPACE" + } + } + ] + } + ] + } + ] + } + ], + "summaryDetails": { + "controls": { + "C-0001": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 12, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0002": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0004": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0004", + "name": "Resources memory limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0005": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0005", + "name": "Control plane hardening", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0006": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0006", + "name": "Allowed hostPath", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 6 + }, + "C-0007": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0007", + "name": "Data Destruction", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0009": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0014": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 21, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0015": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 6, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 7 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0018": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0018", + "name": "Configured readiness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 3 + }, + "C-0020": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0020", + "name": "Mount service principal", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0021": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0021", + "name": "Exposed sensitive interfaces", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0026": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0026", + "name": "Kubernetes CronJob", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0031": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0036": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0036", + "name": "Malicious admission controller (validating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0037": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0039": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0039", + "name": "Malicious admission controller (mutating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0041": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0042": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0042", + "name": "SSH server running inside container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0044": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 4 + }, + "C-0045": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0045", + "name": "Writable hostPath mount", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0046": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0047": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0047", + "name": "Exposed dashboard", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0048": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0048", + "name": "HostPath mount", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0049": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0049", + "name": "Network mapping", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 3 + }, + "C-0050": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0053": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0053", + "name": "Access container service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 4, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "C-0056": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0056", + "name": "Configured liveness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 13, + "failedResources": 2, + "excludedResources": 0 + }, + "score": 13.333333, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0060": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0060", + "name": "Namespace without service accounts", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0061": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0061", + "name": "Pods in default namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 3, + "failedResources": 12, + "excludedResources": 0 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0062": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0063": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0063", + "name": "Portforwarding privileges", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0065": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0065", + "name": "No impersonation", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0066": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0073": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0073", + "name": "Naked PODs", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0074": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0075": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0076": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0076", + "name": "Label usage for resources", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 13, + "excludedResources": 0 + }, + "score": 86.666664, + "scoreFactor": 2 + }, + "C-0077": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0077", + "name": "K8s common labels usage", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 2 + }, + "C-0078": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0078", + "name": "Images from allowed registry", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 5 + }, + "C-0079": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0079", + "name": "CVE-2022-0185-linux-kernel-container-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0081": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0081", + "name": "CVE-2022-24348-argocddirtraversal", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0083": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0083", + "name": "Workloads with Critical vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0084": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0084", + "name": "Workloads with RCE vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0085": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0085", + "name": "Workloads with excessive amount of vulnerabilities", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0086": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 4 + }, + "C-0087": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0087", + "name": "CVE-2022-23648-containerd-fs-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0088": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0088", + "name": "RBAC enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0089": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0089", + "name": "CVE-2022-3172-aggregated-API-server-redirect", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.1.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.1", + "name": "Ensure that the API server pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.10", + "name": "Ensure that the Container Network Interface file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.11", + "name": "Ensure that the etcd data directory permissions are set to 700 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.12", + "name": "Ensure that the etcd data directory ownership is set to etcd:etcd", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.13", + "name": "Ensure that the admin.conf file permissions are set to 600", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.14": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.14", + "name": "Ensure that the admin.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.15": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.15", + "name": "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.16": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.16", + "name": "Ensure that the scheduler.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.17": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.17", + "name": "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.18": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.18", + "name": "Ensure that the controller-manager.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.19": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.19", + "name": "Ensure that the Kubernetes PKI directory and file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.2", + "name": "Ensure that the API server pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.20": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.20", + "name": "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.21": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.21", + "name": "Ensure that the Kubernetes PKI key file permissions are set to 600", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.3", + "name": "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.4", + "name": "Ensure that the controller manager pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.5", + "name": "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.6", + "name": "Ensure that the scheduler pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.7", + "name": "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.8", + "name": "Ensure that the etcd pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.9", + "name": "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.1", + "name": "Ensure that the API Server --anonymous-auth argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.10", + "name": "Ensure that the admission control plugin AlwaysAdmit is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.11", + "name": "Ensure that the admission control plugin AlwaysPullImages is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.12", + "name": "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.13", + "name": "Ensure that the admission control plugin ServiceAccount is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.14": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.14", + "name": "Ensure that the admission control plugin NamespaceLifecycle is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.15": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.15", + "name": "Ensure that the admission control plugin NodeRestriction is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.16": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.16", + "name": "Ensure that the API Server --secure-port argument is not set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.17": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.17", + "name": "Ensure that the API Server --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.18": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.18", + "name": "Ensure that the API Server --audit-log-path argument is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.19": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.19", + "name": "Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.2", + "name": "Ensure that the API Server --token-auth-file parameter is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.20": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.20", + "name": "Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.21": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.21", + "name": "Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.22": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.22", + "name": "Ensure that the API Server --request-timeout argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.23": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.23", + "name": "Ensure that the API Server --service-account-lookup argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.2.24": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.24", + "name": "Ensure that the API Server --service-account-key-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.25": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.25", + "name": "Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.26": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.26", + "name": "Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.27": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.27", + "name": "Ensure that the API Server --client-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.28": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.28", + "name": "Ensure that the API Server --etcd-cafile argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.29": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.29", + "name": "Ensure that the API Server --encryption-provider-config argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.3", + "name": "Ensure that the API Server --DenyServiceExternalIPs is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.30": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.30", + "name": "Ensure that encryption providers are appropriately configured", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.31": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.31", + "name": "Ensure that the API Server only makes use of Strong Cryptographic Ciphers", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.4", + "name": "Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.5", + "name": "Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.6", + "name": "Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.7", + "name": "Ensure that the API Server --authorization-mode argument includes Node", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.8", + "name": "Ensure that the API Server --authorization-mode argument includes RBAC", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.9", + "name": "Ensure that the admission control plugin EventRateLimit is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.1", + "name": "Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.2", + "name": "Ensure that the Controller Manager --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.3.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.3", + "name": "Ensure that the Controller Manager --use-service-account-credentials argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.4", + "name": "Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.3.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.5", + "name": "Ensure that the Controller Manager --root-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.3.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.6", + "name": "Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.3.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.7", + "name": "Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.4.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.4.1", + "name": "Ensure that the Scheduler --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.4.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.4.2", + "name": "Ensure that the Scheduler --bind-address argument is set to 127.0.0.1", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.1", + "name": "Ensure that the --cert-file and --key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.2", + "name": "Ensure that the --client-cert-auth argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.3", + "name": "Ensure that the --auto-tls argument is not set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.4", + "name": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.5", + "name": "Ensure that the --peer-client-cert-auth argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.6", + "name": "Ensure that the --peer-auto-tls argument is not set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.7", + "name": "Ensure that a unique Certificate Authority is used for etcd", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-4.1.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.1", + "name": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.10", + "name": "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.2", + "name": "Ensure that the kubelet service file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.3", + "name": "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.4", + "name": "If proxy kubeconfig file exists ensure ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.5", + "name": "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.6", + "name": "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.7", + "name": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.8", + "name": "Ensure that the client certificate authorities file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.9", + "name": "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.1", + "name": "Ensure that the --anonymous-auth argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.10", + "name": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.11", + "name": "Ensure that the --rotate-certificates argument is not set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.12", + "name": "Verify that the RotateKubeletServerCertificate argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.13", + "name": "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-4.2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.2", + "name": "Ensure that the --authorization-mode argument is not set to AlwaysAllow", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.3", + "name": "Ensure that the --client-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.4", + "name": "Verify that the --read-only-port argument is set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-4.2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.5", + "name": "Ensure that the --streaming-connection-idle-timeout argument is not set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.6", + "name": "Ensure that the --protect-kernel-defaults argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "CIS-4.2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.7", + "name": "Ensure that the --make-iptables-util-chains argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.8", + "name": "Ensure that the --hostname-override argument is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.9", + "name": "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "CIS-5.1.1": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 5, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-5.1.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 6, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "CIS-5.1.3": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-5.1.4": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-5.1.5": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.5", + "name": "Ensure that default service accounts are not actively used", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.1.6": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 5 + }, + "CIS-5.1.8": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-5.2.1": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.1", + "name": "Ensure that the cluster has at least one active policy control mechanism in place", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.2.10": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.10", + "name": "Minimize the admission of containers with capabilities assigned", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.11": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.11", + "name": "Minimize the admission of Windows HostProcess Containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 7 + }, + "CIS-5.2.12": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.12", + "name": "Minimize the admission of HostPath volumes", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.13": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.13", + "name": "Minimize the admission of containers which use HostPorts", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.2.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.2", + "name": "Minimize the admission of privileged containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 8 + }, + "CIS-5.2.3": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.3", + "name": "Minimize the admission of containers wishing to share the host process ID namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.4": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.4", + "name": "Minimize the admission of containers wishing to share the host IPC namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.5": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.5", + "name": "Minimize the admission of containers wishing to share the host network namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.6": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.6", + "name": "Minimize the admission of containers with allowPrivilegeEscalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.7": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.7", + "name": "Minimize the admission of root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.8": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.8", + "name": "Minimize the admission of containers with the NET_RAW capability", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.9": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.9", + "name": "Minimize the admission of containers with added capabilities", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.3.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.3.2", + "name": "Ensure that all Namespaces have Network Policies defined", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.4.1": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-5.7.1": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.1", + "name": "Create administrative boundaries between resources using namespaces", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.7.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "CIS-5.7.3": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 8 + }, + "CIS-5.7.4": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 7, + "failedResources": 27, + "excludedResources": 0 + }, + "score": 79.411766, + "scoreFactor": 4 + } + }, + "status": "failed", + "frameworks": [ + { + "controls": { + "C-0004": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0004", + "name": "Resources memory limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0018": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0018", + "name": "Configured readiness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 3 + }, + "C-0044": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 4 + }, + "C-0050": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0056": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0056", + "name": "Configured liveness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 13, + "failedResources": 2, + "excludedResources": 0 + }, + "score": 13.333333, + "scoreFactor": 4 + }, + "C-0061": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0061", + "name": "Pods in default namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 3, + "failedResources": 12, + "excludedResources": 0 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0073": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0073", + "name": "Naked PODs", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0074": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0075": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0076": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0076", + "name": "Label usage for resources", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 13, + "excludedResources": 0 + }, + "score": 86.666664, + "scoreFactor": 2 + }, + "C-0077": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0077", + "name": "K8s common labels usage", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 2 + } + }, + "name": "DevOpsBest", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 16.747967 + }, + { + "controls": { + "C-0001": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 12, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0002": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0005": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0005", + "name": "Control plane hardening", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0006": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0006", + "name": "Allowed hostPath", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 6 + }, + "C-0009": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0041": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0044": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 4 + }, + "C-0046": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0047": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0047", + "name": "Exposed dashboard", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0049": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0049", + "name": "Network mapping", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 3 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0060": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0060", + "name": "Namespace without service accounts", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0061": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0061", + "name": "Pods in default namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 3, + "failedResources": 12, + "excludedResources": 0 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0062": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0063": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0063", + "name": "Portforwarding privileges", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0065": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0065", + "name": "No impersonation", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0066": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0078": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0078", + "name": "Images from allowed registry", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 5 + }, + "C-0079": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0079", + "name": "CVE-2022-0185-linux-kernel-container-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0081": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0081", + "name": "CVE-2022-24348-argocddirtraversal", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0083": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0083", + "name": "Workloads with Critical vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0084": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0084", + "name": "Workloads with RCE vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0085": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0085", + "name": "Workloads with excessive amount of vulnerabilities", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0086": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 4 + }, + "C-0087": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0087", + "name": "CVE-2022-23648-containerd-fs-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0089": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0089", + "name": "CVE-2022-3172-aggregated-API-server-redirect", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + } + }, + "name": "ArmoBest", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 7, + "failedResources": 16, + "excludedResources": 4 + }, + "score": 29.317932 + }, + { + "controls": { + "C-0002": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0007": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0007", + "name": "Data Destruction", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0012": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0014": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 21, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0015": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 6, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 7 + }, + "C-0020": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0020", + "name": "Mount service principal", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0021": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0021", + "name": "Exposed sensitive interfaces", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0026": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0026", + "name": "Kubernetes CronJob", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0031": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0035": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0036": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0036", + "name": "Malicious admission controller (validating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0037": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0039": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0039", + "name": "Malicious admission controller (mutating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0042": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0042", + "name": "SSH server running inside container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0045": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0045", + "name": "Writable hostPath mount", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0047": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0047", + "name": "Exposed dashboard", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0048": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0048", + "name": "HostPath mount", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0053": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0053", + "name": "Access container service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 4, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0066": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + } + }, + "name": "MITRE", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 15, + "failedResources": 8, + "excludedResources": 2 + }, + "score": 10.858586 + }, + { + "controls": { + "CIS-1.1.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.1", + "name": "Ensure that the API server pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.10", + "name": "Ensure that the Container Network Interface file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.11", + "name": "Ensure that the etcd data directory permissions are set to 700 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.12", + "name": "Ensure that the etcd data directory ownership is set to etcd:etcd", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.13", + "name": "Ensure that the admin.conf file permissions are set to 600", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.14": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.14", + "name": "Ensure that the admin.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.1.15": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.15", + "name": "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.16": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.16", + "name": "Ensure that the scheduler.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.17": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.17", + "name": "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.18": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.18", + "name": "Ensure that the controller-manager.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.19": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.19", + "name": "Ensure that the Kubernetes PKI directory and file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.2", + "name": "Ensure that the API server pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.20": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.20", + "name": "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.21": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.21", + "name": "Ensure that the Kubernetes PKI key file permissions are set to 600", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.1.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.3", + "name": "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.4", + "name": "Ensure that the controller manager pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.5", + "name": "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.6", + "name": "Ensure that the scheduler pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.7", + "name": "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.8", + "name": "Ensure that the etcd pod specification file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.1.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.1.9", + "name": "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.1", + "name": "Ensure that the API Server --anonymous-auth argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.10", + "name": "Ensure that the admission control plugin AlwaysAdmit is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.11", + "name": "Ensure that the admission control plugin AlwaysPullImages is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.12", + "name": "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.13", + "name": "Ensure that the admission control plugin ServiceAccount is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.14": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.14", + "name": "Ensure that the admission control plugin NamespaceLifecycle is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.15": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.15", + "name": "Ensure that the admission control plugin NodeRestriction is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.16": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.16", + "name": "Ensure that the API Server --secure-port argument is not set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.17": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.17", + "name": "Ensure that the API Server --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.2.18": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.18", + "name": "Ensure that the API Server --audit-log-path argument is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.19": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.19", + "name": "Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.2", + "name": "Ensure that the API Server --token-auth-file parameter is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.20": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.20", + "name": "Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.21": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.21", + "name": "Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.22": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.22", + "name": "Ensure that the API Server --request-timeout argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.23": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.23", + "name": "Ensure that the API Server --service-account-lookup argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.2.24": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.24", + "name": "Ensure that the API Server --service-account-key-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.25": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.25", + "name": "Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.26": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.26", + "name": "Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.27": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.27", + "name": "Ensure that the API Server --client-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.28": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.28", + "name": "Ensure that the API Server --etcd-cafile argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.29": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.29", + "name": "Ensure that the API Server --encryption-provider-config argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.3", + "name": "Ensure that the API Server --DenyServiceExternalIPs is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.2.30": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.30", + "name": "Ensure that encryption providers are appropriately configured", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.31": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.31", + "name": "Ensure that the API Server only makes use of Strong Cryptographic Ciphers", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.4", + "name": "Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.5", + "name": "Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.6", + "name": "Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.7", + "name": "Ensure that the API Server --authorization-mode argument includes Node", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.2.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.8", + "name": "Ensure that the API Server --authorization-mode argument includes RBAC", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-1.2.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.2.9", + "name": "Ensure that the admission control plugin EventRateLimit is set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.1", + "name": "Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.2", + "name": "Ensure that the Controller Manager --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.3.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.3", + "name": "Ensure that the Controller Manager --use-service-account-credentials argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-1.3.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.4", + "name": "Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.3.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.5", + "name": "Ensure that the Controller Manager --root-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-1.3.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.6", + "name": "Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-1.3.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.3.7", + "name": "Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-1.4.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.4.1", + "name": "Ensure that the Scheduler --profiling argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-1.4.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-1.4.2", + "name": "Ensure that the Scheduler --bind-address argument is set to 127.0.0.1", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.1", + "name": "Ensure that the --cert-file and --key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.2", + "name": "Ensure that the --client-cert-auth argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.3", + "name": "Ensure that the --auto-tls argument is not set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.4", + "name": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.5", + "name": "Ensure that the --peer-client-cert-auth argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.6", + "name": "Ensure that the --peer-auto-tls argument is not set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-2.7", + "name": "Ensure that a unique Certificate Authority is used for etcd", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-4.1.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.1", + "name": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.10", + "name": "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.2", + "name": "Ensure that the kubelet service file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.3", + "name": "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.4", + "name": "If proxy kubeconfig file exists ensure ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.5", + "name": "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.6", + "name": "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.1.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.7", + "name": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.8", + "name": "Ensure that the client certificate authorities file ownership is set to root:root", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.1.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.1.9", + "name": "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.1": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.1", + "name": "Ensure that the --anonymous-auth argument is set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.10": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.10", + "name": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-4.2.11": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.11", + "name": "Ensure that the --rotate-certificates argument is not set to false", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.12": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.12", + "name": "Verify that the RotateKubeletServerCertificate argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.13": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.13", + "name": "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-4.2.2": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.2", + "name": "Ensure that the --authorization-mode argument is not set to AlwaysAllow", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.3": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.3", + "name": "Ensure that the --client-ca-file argument is set as appropriate", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-4.2.4": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.4", + "name": "Verify that the --read-only-port argument is set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-4.2.5": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.5", + "name": "Ensure that the --streaming-connection-idle-timeout argument is not set to 0", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.6": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.6", + "name": "Ensure that the --protect-kernel-defaults argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "CIS-4.2.7": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.7", + "name": "Ensure that the --make-iptables-util-chains argument is set to true", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.8": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.8", + "name": "Ensure that the --hostname-override argument is not set", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "CIS-4.2.9": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "CIS-4.2.9", + "name": "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "CIS-5.1.1": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.1", + "name": "Ensure that the cluster-admin role is only used where required", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 5, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "CIS-5.1.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.2", + "name": "Minimize access to secrets", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 6, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "CIS-5.1.3": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.3", + "name": "Minimize wildcard use in Roles and ClusterRoles", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "CIS-5.1.4": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.4", + "name": "Minimize access to create pods", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "CIS-5.1.5": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.5", + "name": "Ensure that default service accounts are not actively used", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.1.6": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.1.6", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 5 + }, + "CIS-5.1.8": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.1.8", + "name": "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "CIS-5.2.1": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.1", + "name": "Ensure that the cluster has at least one active policy control mechanism in place", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.2.10": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.10", + "name": "Minimize the admission of containers with capabilities assigned", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.11": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.11", + "name": "Minimize the admission of Windows HostProcess Containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 7 + }, + "CIS-5.2.12": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.12", + "name": "Minimize the admission of HostPath volumes", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.13": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.13", + "name": "Minimize the admission of containers which use HostPorts", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.2.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.2", + "name": "Minimize the admission of privileged containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 8 + }, + "CIS-5.2.3": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.3", + "name": "Minimize the admission of containers wishing to share the host process ID namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.4": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.4", + "name": "Minimize the admission of containers wishing to share the host IPC namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.5": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.5", + "name": "Minimize the admission of containers wishing to share the host network namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.2.6": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.6", + "name": "Minimize the admission of containers with allowPrivilegeEscalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.7": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.7", + "name": "Minimize the admission of root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.8": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.8", + "name": "Minimize the admission of containers with the NET_RAW capability", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 6 + }, + "CIS-5.2.9": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.2.9", + "name": "Minimize the admission of containers with added capabilities", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.3.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.3.2", + "name": "Ensure that all Namespaces have Network Policies defined", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "CIS-5.4.1": { + "statusInfo": { + "status": "passed" + }, + "controlID": "CIS-5.4.1", + "name": "Prefer using secrets as files over secrets as environment variables", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "CIS-5.7.1": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.1", + "name": "Create administrative boundaries between resources using namespaces", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 5 + }, + "CIS-5.7.2": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.2", + "name": "Ensure that the seccomp profile is set to docker/default in your pod definitions", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "CIS-5.7.3": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.3", + "name": "Apply Security Context to Your Pods and Containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 8 + }, + "CIS-5.7.4": { + "statusInfo": { + "status": "failed" + }, + "controlID": "CIS-5.7.4", + "name": "The default namespace should not be used", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 7, + "failedResources": 27, + "excludedResources": 0 + }, + "score": 79.411766, + "scoreFactor": 4 + } + }, + "name": "CIS", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 2, + "failedResources": 37, + "excludedResources": 4 + }, + "score": 43.612335 + }, + { + "controls": { + "C-0002": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0005": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0005", + "name": "Control plane hardening", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0006": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0006", + "name": "Allowed hostPath", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 6 + }, + "C-0009": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0041": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0044": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 4 + }, + "C-0046": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0047": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0047", + "name": "Exposed dashboard", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0066": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + } + }, + "name": "NSA", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 7, + "failedResources": 16, + "excludedResources": 4 + }, + "score": 26.9876 + }, + { + "controls": { + "C-0001": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0001", + "name": "Forbidden Container Registries", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 12, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0002": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0002", + "name": "Exec into container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0004": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0004", + "name": "Resources memory limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0005": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0005", + "name": "Control plane hardening", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0006": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0006", + "name": "Allowed hostPath", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 6 + }, + "C-0007": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0007", + "name": "Data Destruction", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0009": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0009", + "name": "Resource limits", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0012": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0012", + "name": "Applications credentials in configuration files", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0013": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0013", + "name": "Non-root containers", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0014": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0014", + "name": "Access Kubernetes dashboard", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 21, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0015": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0015", + "name": "List Kubernetes secrets", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 6, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 7 + }, + "C-0016": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0016", + "name": "Allow privilege escalation", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0017": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0017", + "name": "Immutable container filesystem", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0018": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0018", + "name": "Configured readiness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 3 + }, + "C-0020": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0020", + "name": "Mount service principal", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0021": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0021", + "name": "Exposed sensitive interfaces", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0026": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0026", + "name": "Kubernetes CronJob", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0030": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0030", + "name": "Ingress and Egress blocked", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 6 + }, + "C-0031": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0031", + "name": "Delete Kubernetes events", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0034": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0034", + "name": "Automatic mapping of service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 2, + "excludedResources": 2 + }, + "score": 11.111111, + "scoreFactor": 6 + }, + "C-0035": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0035", + "name": "Cluster-admin binding", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0036": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0036", + "name": "Malicious admission controller (validating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0037": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0037", + "name": "CoreDNS poisoning", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0038": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0038", + "name": "Host PID/IPC privileges", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0039": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0039", + "name": "Malicious admission controller (mutating)", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0041": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0041", + "name": "HostNetwork access", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 7 + }, + "C-0042": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0042", + "name": "SSH server running inside container", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0044": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0044", + "name": "Container hostPort", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 4 + }, + "C-0045": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0045", + "name": "Writable hostPath mount", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0046": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0046", + "name": "Insecure capabilities", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0047": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0047", + "name": "Exposed dashboard", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0048": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0048", + "name": "HostPath mount", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0049": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0049", + "name": "Network mapping", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 3 + }, + "C-0050": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0050", + "name": "Resources CPU limit and request", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0053": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0053", + "name": "Access container service account", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 4, + "excludedResources": 0 + }, + "score": 100, + "scoreFactor": 6 + }, + "C-0054": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0054", + "name": "Cluster internal networking", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 1, + "excludedResources": 2 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0055": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0055", + "name": "Linux hardening", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 4 + }, + "C-0056": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0056", + "name": "Configured liveness probe", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 13, + "failedResources": 2, + "excludedResources": 0 + }, + "score": 13.333333, + "scoreFactor": 4 + }, + "C-0057": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0057", + "name": "Privileged container", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 14, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 6.6666665, + "scoreFactor": 8 + }, + "C-0058": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0058", + "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access.", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0059": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0059", + "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0060": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0060", + "name": "Namespace without service accounts", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 1, + "excludedResources": 0 + }, + "score": 33.333332, + "scoreFactor": 4 + }, + "C-0061": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0061", + "name": "Pods in default namespace", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 3, + "failedResources": 12, + "excludedResources": 0 + }, + "score": 80, + "scoreFactor": 3 + }, + "C-0062": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0062", + "name": "Sudo in container entrypoint", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0063": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0063", + "name": "Portforwarding privileges", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0065": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0065", + "name": "No impersonation", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 6, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0066": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0066", + "name": "Secret/ETCD encryption enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0067": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0067", + "name": "Audit logs enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0068": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0068", + "name": "PSP enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 1 + }, + "C-0069": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0069", + "name": "Disable anonymous access to Kubelet service", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 10 + }, + "C-0070": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0070", + "name": "Enforce Kubelet client TLS authentication", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 9 + }, + "C-0073": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0073", + "name": "Naked PODs", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 3 + }, + "C-0074": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0074", + "name": "Containers mounting Docker socket", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 5 + }, + "C-0075": { + "statusInfo": { + "status": "passed" + }, + "controlID": "C-0075", + "name": "Image pull policy on latest tag", + "status": "passed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 15, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 2 + }, + "C-0076": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0076", + "name": "Label usage for resources", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 2, + "failedResources": 13, + "excludedResources": 0 + }, + "score": 86.666664, + "scoreFactor": 2 + }, + "C-0077": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0077", + "name": "K8s common labels usage", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 2 + }, + "C-0078": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0078", + "name": "Images from allowed registry", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 13, + "excludedResources": 2 + }, + "score": 86.666664, + "scoreFactor": 5 + }, + "C-0079": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0079", + "name": "CVE-2022-0185-linux-kernel-container-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0081": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0081", + "name": "CVE-2022-24348-argocddirtraversal", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 4 + }, + "C-0083": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0083", + "name": "Workloads with Critical vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0084": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0084", + "name": "Workloads with RCE vulnerabilities exposed to external traffic", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 8 + }, + "C-0085": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0085", + "name": "Workloads with excessive amount of vulnerabilities", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 6 + }, + "C-0086": { + "statusInfo": { + "status": "failed" + }, + "controlID": "C-0086", + "name": "CVE-2022-0492-cgroups-container-escape", + "status": "failed", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 1, + "failedResources": 12, + "excludedResources": 2 + }, + "score": 80, + "scoreFactor": 4 + }, + "C-0087": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0087", + "name": "CVE-2022-23648-containerd-fs-escape", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + }, + "C-0088": { + "statusInfo": { + "status": "irrelevant" + }, + "controlID": "C-0088", + "name": "RBAC enabled", + "status": "irrelevant", + "resourceIDs": {}, + "ResourceCounters": { + "passedResources": 0, + "failedResources": 0, + "excludedResources": 0 + }, + "score": 0, + "scoreFactor": 7 + } + }, + "name": "AllControls", + "status": "failed", + "version": "", + "ResourceCounters": { + "passedResources": 2, + "failedResources": 22, + "excludedResources": 4 + }, + "score": 23.911491 + } + ], + "severityCounters": { + "criticalSeverity": 0, + "highSeverity": 26, + "mediumSeverity": 151, + "lowSeverity": 52 + }, + "ResourceCounters": { + "passedResources": 3, + "failedResources": 37, + "excludedResources": 4 + }, + "score": 28.733154 + }, + "paginationInfo": { + "chunkNumber": 0, + "isLastChunk": false + } +} \ No newline at end of file diff --git a/unittests/tools/test_kubescape_parser.py b/unittests/tools/test_kubescape_parser.py new file mode 100644 index 00000000000..192c156f630 --- /dev/null +++ b/unittests/tools/test_kubescape_parser.py @@ -0,0 +1,14 @@ +from ..dojo_test_case import DojoTestCase, get_unit_tests_path +from dojo.tools.kubescape.parser import KubescapeParser +from dojo.models import Test + + +class TestOrtParser(DojoTestCase): + def test_parse_file_has_many_finding_one_tool(self): + testfile = open( + get_unit_tests_path() + "/scans/kubescape/many_findings.json" + ) + parser = KubescapeParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(44, len(findings))