代码拉取完成,页面将自动刷新
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>Kubescape Scan Report</title>
</head>
<style>
:root {
--cell-padding-vertical: 0.25em;
--cell-padding-horizontal: 0.25em;
--font-family-sans: system-ui, -apple-system, sans-serif;
}
body {
max-width: 60em;
margin: auto;
font-family: var(--font-family-sans);
}
table {
width: 100%;
border-top: 0.1em solid black;
border-bottom: 0.1em solid black;
border-collapse: collapse;
table-layout: fixed;
}
th {
text-align: left;
}
td, th {
padding-top: var(--cell-padding-vertical);
padding-bottom: var(--cell-padding-vertical);
padding-right: var(--cell-padding-horizontal);
vertical-align: top;
}
td > p {
margin: 0;
word-break: break-all;
hyphens: auto;
}
thead {
border-bottom: 0.01em solid black;
}
.numericCell {
text-align: right;
}
.controlSeverityCell {
width: 10%;
}
.controlNameCell {
width: 50%;
}
.controlRiskCell {
width: 10%;
}
.resourceSeverityCell {
width: 10%;
}
.resourceNameCell {
width: 30%;
}
.resourceURLCell {
width: 10%;
}
.resourceRemediationCell {
width: 50%;
}
.logo {
width: 25%;
float: right;
}
</style>
<body>
<img class="logo" src="https://raw.githubusercontent.com/kubescape/kubescape/master/core/pkg/resultshandling/printer/v2/pdf/logo.png">
<h1>Kubescape Scan Report</h1>
<h2>By Controls</h2>
<h3>Summary</h3>
<table>
<thead>
<tr>
<th>All</th>
<th>Failed</th>
<th>Excluded</th>
<th>Skipped</th>
</tr>
</thead>
<tbody>
<tr>
<td>174</td>
<td>77</td>
<td>3</td>
<td>3</td>
</tr>
</tbody>
</table>
<h3>Details</h3>
<table>
<thead>
<tr>
<th class="controlSeverityCell">Severity</th>
<th class="controlNameCell">Control Name</th>
<th class="controlRiskCell">Failed Resources</th>
<th class="controlRiskCell">Excluded Resources</th>
<th class="controlRiskCell">All Resources</th>
<th class="controlRiskCell">Risk Score, %</th>
</tr>
</thead>
<tbody>
<tr>
<td class="controlSeverityCell">Critical</td>
<td class="controlNameCell">API server insecure port is enabled</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Critical</td>
<td class="controlNameCell">CVE-2022-39328-grafana-auth-bypass</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Critical</td>
<td class="controlNameCell">Disable anonymous access to Kubelet service</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Critical</td>
<td class="controlNameCell">Enforce Kubelet client TLS authentication</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">16</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Applications credentials in configuration files</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">67</td>
<td class="controlRiskCell numericCell">4</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">33</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">33</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.13 Ensure that the admin.conf file permissions are set to 600</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.14 Ensure that the admin.conf file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.16 Ensure that the API Server --secure-port argument is not set to 0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.2 Ensure that the API Server --token-auth-file parameter is not set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.25 Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.26 Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.27 Ensure that the API Server --client-ca-file argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.28 Ensure that the API Server --etcd-cafile argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">50</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.30 Ensure that encryption providers are appropriately configured</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.4 Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.6 Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.2.8 Ensure that the API Server --authorization-mode argument includes RBAC</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-1.3.5 Ensure that the Controller Manager --root-ca-file argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-2.2 Ensure that the --client-cert-auth argument is set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-2.5 Ensure that the --peer-client-cert-auth argument is set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-2.7 Ensure that a unique Certificate Authority is used for etcd</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">66</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.1.8 Ensure that the client certificate authorities file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.2.1 Ensure that the --anonymous-auth argument is set to false</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">16</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-5.1.1 Ensure that the cluster-admin role is only used where required</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-5.1.3 Minimize wildcard use in Roles and ClusterRoles</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="controlRiskCell numericCell">23</td>
<td class="controlRiskCell numericCell">17</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">56</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CVE-2022-23648-containerd-fs-escape</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">CVE-2022-47633-kyverno-signature-bypass</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Forbidden Container Registries</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Host PID/IPC privileges</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">HostNetwork access</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">13</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">19</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">HostPath mount</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">12</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">19</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Insecure capabilities</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">10</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Instance Metadata API</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">List Kubernetes secrets</td>
<td class="controlRiskCell numericCell">7</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">27</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Privileged container</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">5</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">RBAC enabled</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Resource limits</td>
<td class="controlRiskCell numericCell">18</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">44</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Resources CPU limit and request</td>
<td class="controlRiskCell numericCell">18</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">44</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Resources memory limit and request</td>
<td class="controlRiskCell numericCell">18</td>
<td class="controlRiskCell numericCell">14</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">44</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Workloads with Critical vulnerabilities exposed to external traffic</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Workloads with RCE vulnerabilities exposed to external traffic</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">High</td>
<td class="controlNameCell">Writable hostPath mount</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">7</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">10</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Access container service account</td>
<td class="controlRiskCell numericCell">5</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">12</td>
<td class="controlRiskCell numericCell">42</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Allow privilege escalation</td>
<td class="controlRiskCell numericCell">16</td>
<td class="controlRiskCell numericCell">13</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">39</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Audit logs enabled</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Automatic mapping of service account</td>
<td class="controlRiskCell numericCell">33</td>
<td class="controlRiskCell numericCell">54</td>
<td class="controlRiskCell numericCell">97</td>
<td class="controlRiskCell numericCell">34</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.10 Ensure that the Container Network Interface file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.16 Ensure that the scheduler.conf file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.2 Ensure that the API server pod specification file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.8 Ensure that the etcd pod specification file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.15 Ensure that the admission control plugin NodeRestriction is set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.22 Ensure that the API Server --request-timeout argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.23 Ensure that the API Server --service-account-lookup argument is set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.24 Ensure that the API Server --service-account-key-file argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.3 Ensure that the API Server --DenyServiceExternalIPs is not set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.7 Ensure that the API Server --authorization-mode argument includes Node</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.3.1 Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.3.3 Ensure that the Controller Manager --use-service-account-credentials argument is set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.3.4 Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.3.6 Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.3.7 Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-1.4.2 Ensure that the Scheduler --bind-address argument is set to 127.0.0.1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-2.3 Ensure that the --auto-tls argument is not set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-2.6 Ensure that the --peer-auto-tls argument is not set to true</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-3.2.1 Ensure that a minimal audit policy is created</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-3.2.2 Ensure that the audit policy covers key security concerns</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.2 Ensure that the kubelet service file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.11 Ensure that the --rotate-certificates argument is not set to false</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.3 Ensure that the --client-ca-file argument is set as appropriate</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-4.2.4 Verify that the --read-only-port argument is set to 0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="controlRiskCell numericCell">7</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">27</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.1.4 Minimize access to create pods</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">20</td>
<td class="controlRiskCell numericCell">30</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="controlRiskCell numericCell">36</td>
<td class="controlRiskCell numericCell">51</td>
<td class="controlRiskCell numericCell">97</td>
<td class="controlRiskCell numericCell">37</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="controlRiskCell numericCell">5</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">50</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.3.1 Ensure that the CNI in use supports Network Policies</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.4.1 Prefer using secrets as files over secrets as environment variables</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">2</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.4.2 Consider external secret storage</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="controlRiskCell numericCell">20</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">49</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="controlRiskCell numericCell">7</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">211</td>
<td class="controlRiskCell numericCell">3</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CVE-2021-25741 - Using symlink for arbitrary host file system access.</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CVE-2022-0185-linux-kernel-container-escape</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">36</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CVE-2022-24348-argocddirtraversal</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Cluster internal networking</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Cluster-admin binding</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Configured liveness probe</td>
<td class="controlRiskCell numericCell">12</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">29</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Container hostPort</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">2</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Containers mounting Docker socket</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">CoreDNS poisoning</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">4</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Data Destruction</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">8</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Delete Kubernetes events</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Exec into container</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Exposed sensitive interfaces</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Images from allowed registry</td>
<td class="controlRiskCell numericCell">23</td>
<td class="controlRiskCell numericCell">17</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">56</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Ingress and Egress blocked</td>
<td class="controlRiskCell numericCell">20</td>
<td class="controlRiskCell numericCell">20</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">49</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Linux hardening</td>
<td class="controlRiskCell numericCell">17</td>
<td class="controlRiskCell numericCell">7</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">41</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Malicious admission controller (mutating)</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Mount service principal</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">No impersonation</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Non-root containers</td>
<td class="controlRiskCell numericCell">17</td>
<td class="controlRiskCell numericCell">14</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">41</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Portforwarding privileges</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">26</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Secret/ETCD encryption enabled</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Sudo in container entrypoint</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Medium</td>
<td class="controlNameCell">Workloads with excessive amount of vulnerabilities</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Access Kubernetes dashboard</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">66</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-1.2.13 Ensure that the admission control plugin ServiceAccount is set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-1.2.17 Ensure that the API Server --profiling argument is set to false</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-1.3.2 Ensure that the Controller Manager --profiling argument is set to false</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-1.4.1 Ensure that the Scheduler --profiling argument is set to false</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-4.2.8 Ensure that the --hostname-override argument is not set</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CIS-4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">8</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">CVE-2022-3172-aggregated-API-server-redirect</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Configured readiness probe</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">36</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Image pull policy on latest tag</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">5</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Immutable container filesystem</td>
<td class="controlRiskCell numericCell">18</td>
<td class="controlRiskCell numericCell">18</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">44</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">K8s common labels usage</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">36</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Kubernetes CronJob</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">2</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Label usage for resources</td>
<td class="controlRiskCell numericCell">15</td>
<td class="controlRiskCell numericCell">3</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">36</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Malicious admission controller (validating)</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Naked PODs</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">66</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Network mapping</td>
<td class="controlRiskCell numericCell">6</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">10</td>
<td class="controlRiskCell numericCell">60</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">PSP enabled</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">1</td>
<td class="controlRiskCell numericCell">100</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">Pods in default namespace</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">40</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tr>
<td class="controlSeverityCell">Low</td>
<td class="controlNameCell">SSH server running inside container</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">0</td>
<td class="controlRiskCell numericCell">4</td>
<td class="controlRiskCell numericCell">0</td>
</tr>
</tr>
<tbody>
</table>
<h2>By Resource</h2>
<h3>Name: vms107.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms107.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms108.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms108.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: cadvisor</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: cadvisor</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0192">C-0192</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: ingress-nginx</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0192">C-0192</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms102.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms102.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms105.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms105.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kubescape</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: kubescape</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0192">C-0192</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms102.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: ControlPlaneInfo</p>
<p>Name: vms102.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0111">C-0111</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: metallb-system</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: metallb-system</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms106.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms106.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms101.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: ControlPlaneInfo</p>
<p>Name: vms101.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0111">C-0111</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms103.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms103.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms100.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: ControlPlaneInfo</p>
<p>Name: vms100.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0102">C-0102</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0111">C-0111</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0103">C-0103</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: system:bootstrappers:kubeadm:default-node-token</h3>
<p>ApiVersion: rbac.authorization.k8s.io</p>
<p>Kind: Group</p>
<p>Name: system:bootstrappers:kubeadm:default-node-token</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms100.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms100.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: velero</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: velero</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0192">C-0192</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: vms101.liruilongs.github.io</h3>
<p>ApiVersion: hostdata.kubescape.cloud/v1beta0</p>
<p>Kind: KubeletInfo</p>
<p>Name: vms101.liruilongs.github.io</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0168">C-0168</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0183">C-0183</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0170">C-0170</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.7 Ensure that the --make-iptables-util-chains argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0178">C-0178</a></td>
<td class="resourceRemediationCell"> <p>makeIPTablesUtilChains</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-4.2.6 Ensure that the --protect-kernel-defaults argument is set to true</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0177">C-0177</a></td>
<td class="resourceRemediationCell"> <p>protectKernelDefaults</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0162">C-0162</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: local-path-storage</h3>
<p>ApiVersion: v1</p>
<p>Kind: Namespace</p>
<p>Name: local-path-storage</p>
<p>Namespace: </p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Network mapping</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0049">C-0049</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.1 Create administrative boundaries between resources using namespaces</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0209">C-0209</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.1 Ensure that the cluster has at least one active policy control mechanism in place</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0192">C-0192</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.4 Minimize the admission of containers wishing to share the host IPC namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0195">C-0195</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.6 Minimize the admission of containers with allowPrivilegeEscalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0197">C-0197</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.3.2 Ensure that all Namespaces have Network Policies defined</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0206">C-0206</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.13 Minimize the admission of containers which use HostPorts</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0204">C-0204</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.3 Minimize the admission of containers wishing to share the host process ID namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0194">C-0194</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.7 Minimize the admission of root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0198">C-0198</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.9 Minimize the admission of containers with added capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0200">C-0200</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.12 Minimize the admission of HostPath volumes</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0203">C-0203</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.8 Minimize the admission of containers with the NET_RAW capability</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0199">C-0199</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.10 Minimize the admission of containers with capabilities assigned</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0201">C-0201</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=restricted</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Cluster internal networking</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0054">C-0054</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.2 Minimize the admission of privileged containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0193">C-0193</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.2.5 Minimize the admission of containers wishing to share the host network namespace</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0196">C-0196</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.2.11 Minimize the admission of Windows HostProcess Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0202">C-0202</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels[pod-security.kubernetes.io/enforce]=baseline</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: cadvisor</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: cadvisor</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: DaemonSet</p>
<p>Name: cadvisor</p>
<p>Namespace: cadvisor</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.volumes[4].hostPath.path</p> <p>spec.template.spec.volumes[5].hostPath.path</p> <p>spec.template.spec.volumes[1].hostPath.path</p> <p>spec.template.spec.volumes[2].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.privileged</p> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Privileged container</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0057">C-0057</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.privileged</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: cadvisor</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: cadvisor</p>
<p>Namespace: cadvisor</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-prometheus-stack-admission</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: kube-prometheus-stack-admission</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Access container service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kubernetes</h3>
<p>ApiVersion: v1</p>
<p>Kind: Endpoints</p>
<p>Name: kubernetes</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kubernetes</h3>
<p>ApiVersion: v1</p>
<p>Kind: Service</p>
<p>Name: kubernetes</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-prometheus-stack-admission</h3>
<p>ApiVersion: rbac.authorization.k8s.io/v1</p>
<p>Kind: Role</p>
<p>Name: kube-prometheus-stack-admission</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: release-name-kube-promethe-admission</h3>
<p>ApiVersion: v1</p>
<p>Kind: Secret</p>
<p>Name: release-name-kube-promethe-admission</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: sh.helm.release.v1.kube-prometheus-stack.v1</h3>
<p>ApiVersion: v1</p>
<p>Kind: Secret</p>
<p>Name: sh.helm.release.v1.kube-prometheus-stack.v1</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-prometheus-stack-admission</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: kube-prometheus-stack-admission</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-prometheus-stack-admission</h3>
<p>ApiVersion: rbac.authorization.k8s.io/v1</p>
<p>Kind: RoleBinding</p>
<p>Name: kube-prometheus-stack-admission</p>
<p>Namespace: default</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.4 The default namespace should not be used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0212">C-0212</a></td>
<td class="resourceRemediationCell"> <p>metadata.namespace</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: ingress-nginx</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx-admission</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: ingress-nginx-admission</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Access container service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx-admission</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: ingress-nginx-admission</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx-admission-create</h3>
<p>ApiVersion: batch/v1</p>
<p>Kind: Job</p>
<p>Name: ingress-nginx-admission-create</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: ingress-nginx</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[2]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].verbs[1]</p> <p>relatedObjects[1].rules[1].verbs[2]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[2]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].verbs[1]</p> <p>relatedObjects[1].rules[1].verbs[2]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Access container service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx-controller</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: ingress-nginx-controller</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation</p> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.container[0].securityContext.allowPrivilegeEscalation</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ingress-nginx-admission-patch</h3>
<p>ApiVersion: batch/v1</p>
<p>Kind: Job</p>
<p>Name: ingress-nginx-admission-patch</p>
<p>Namespace: ingress-nginx</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: haproxy-vms102.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: haproxy-vms102.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: keepalived-vms101.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: keepalived-vms101.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Writable hostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0045">C-0045</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].volumeMounts[1].readOnly=true</p> <p>spec.containers[0].volumeMounts[0].readOnly=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[1].hostPath.path</p> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Insecure capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0046">C-0046</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.capabilities.add[0]</p> <p>spec.containers[0].securityContext.capabilities.add[2]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-apiserver-vms102.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: kube-apiserver-vms102.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0123">C-0123</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,AlwaysPullImages</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0131">C-0131</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-maxage=30</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-3.2.1 Ensure that a minimal audit policy is created</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0160">C-0160</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0117">C-0117</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--kubelet-certificate-authority=<path/to/ca.crt></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0141">C-0141</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--encryption-provider-config=<path/to/encryption-config.yaml></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0113">C-0113</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--anonymous-auth=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0143">C-0143</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0130">C-0130</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-path=/var/log/apiserver/audit.log</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0121">C-0121</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,EventRateLimit</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0132">C-0132</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxbackup=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0124">C-0124</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,SecurityContextDeny</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0133">C-0133</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxsize=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-1.2.17 Ensure that the API Server --profiling argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0129">C-0129</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--profiling=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: calico-node</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: DaemonSet</p>
<p>Name: calico-node</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Writable hostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0045">C-0045</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].volumeMounts[0].readOnly=true</p> <p>spec.template.spec.containers[0].volumeMounts[5].readOnly=true</p> <p>spec.template.spec.containers[0].volumeMounts[4].readOnly=true</p> <p>spec.template.spec.containers[0].volumeMounts[3].readOnly=true</p> <p>spec.template.spec.containers[0].volumeMounts[2].readOnly=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.volumes[8].hostPath.path</p> <p>spec.template.spec.volumes[7].hostPath.path</p> <p>spec.template.spec.volumes[9].hostPath.path</p> <p>spec.template.spec.volumes[10].hostPath.path</p> <p>spec.template.spec.volumes[2].hostPath.path</p> <p>spec.template.spec.volumes[1].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.privileged</p> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Privileged container</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0057">C-0057</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.privileged</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: calico-node</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: calico-node</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: haproxy-vms101.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: haproxy-vms101.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: calico-kube-controllers</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: calico-kube-controllers</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: keepalived-vms100.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: keepalived-vms100.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Writable hostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0045">C-0045</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].volumeMounts[1].readOnly=true</p> <p>spec.containers[0].volumeMounts[0].readOnly=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[1].hostPath.path</p> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Insecure capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0046">C-0046</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.capabilities.add[0]</p> <p>spec.containers[0].securityContext.capabilities.add[2]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: calico-kube-controllers</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: calico-kube-controllers</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-apiserver-vms101.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: kube-apiserver-vms101.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0123">C-0123</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,AlwaysPullImages</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0131">C-0131</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-maxage=30</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-3.2.1 Ensure that a minimal audit policy is created</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0160">C-0160</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0117">C-0117</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--kubelet-certificate-authority=<path/to/ca.crt></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0141">C-0141</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--encryption-provider-config=<path/to/encryption-config.yaml></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0113">C-0113</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--anonymous-auth=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0143">C-0143</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0130">C-0130</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-path=/var/log/apiserver/audit.log</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0121">C-0121</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,EventRateLimit</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0132">C-0132</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxbackup=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0124">C-0124</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,SecurityContextDeny</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0133">C-0133</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxsize=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-1.2.17 Ensure that the API Server --profiling argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0129">C-0129</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--profiling=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: keepalived-vms102.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: keepalived-vms102.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Writable hostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0045">C-0045</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].volumeMounts[1].readOnly=true</p> <p>spec.containers[0].volumeMounts[0].readOnly=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[1].hostPath.path</p> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Insecure capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0046">C-0046</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.capabilities.add[0]</p> <p>spec.containers[0].securityContext.capabilities.add[2]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: haproxy-vms100.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: haproxy-vms100.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostPath mount</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0048">C-0048</a></td>
<td class="resourceRemediationCell"> <p>spec.volumes[0].hostPath.path</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> <p>spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kube-apiserver-vms100.liruilongs.github.io</h3>
<p>ApiVersion: v1</p>
<p>Kind: Pod</p>
<p>Name: kube-apiserver-vms100.liruilongs.github.io</p>
<p>Namespace: kube-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Secret/ETCD encryption enabled</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0066">C-0066</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.11 Ensure that the admission control plugin AlwaysPullImages is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0123">C-0123</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,AlwaysPullImages</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.19 Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0131">C-0131</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-maxage=30</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-3.2.1 Ensure that a minimal audit policy is created</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0160">C-0160</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.5 Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0117">C-0117</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--kubelet-certificate-authority=<path/to/ca.crt></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.29 Ensure that the API Server --encryption-provider-config argument is set as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0141">C-0141</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--encryption-provider-config=<path/to/encryption-config.yaml></p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.1 Ensure that the API Server --anonymous-auth argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0113">C-0113</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--anonymous-auth=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Audit logs enabled</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0067">C-0067</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0143">C-0143</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-1.2.18 Ensure that the API Server --audit-log-path argument is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0130">C-0130</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--audit-log-path=/var/log/apiserver/audit.log</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.9 Ensure that the admission control plugin EventRateLimit is set</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0121">C-0121</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,EventRateLimit</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.20 Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0132">C-0132</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxbackup=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0124">C-0124</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> <p>spec.containers[0].command[5]=--enable-admission-plugins=NodeRestriction,SecurityContextDeny</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-1.2.21 Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0133">C-0133</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]</p> <p>spec.containers[0].command[28]=--audit-log-maxsize=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">PSP enabled</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0068">C-0068</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[5]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">CIS-1.2.17 Ensure that the API Server --profiling argument is set to false</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0129">C-0129</a></td>
<td class="resourceRemediationCell"> <p>spec.containers[0].command[28]=--profiling=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: kubescape</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kubevuln-scheduler</h3>
<p>ApiVersion: batch/v1</p>
<p>Kind: CronJob</p>
<p>Name: kubevuln-scheduler</p>
<p>Namespace: kubescape</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Kubernetes CronJob</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0026">C-0026</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: ks-sa</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: ks-sa</p>
<p>Namespace: kubescape</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Data Destruction</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0007">C-0007</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[2].resources[1]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[2].resources[1]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CoreDNS poisoning</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0037">C-0037</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[2].resources[0]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[2].resources[1]</p> <p>relatedObjects[1].rules[2].verbs[0]</p> <p>relatedObjects[1].rules[2].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: kubescape-scheduler</h3>
<p>ApiVersion: batch/v1</p>
<p>Kind: CronJob</p>
<p>Name: kubescape-scheduler</p>
<p>Namespace: kubescape</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Kubernetes CronJob</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0026">C-0026</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.jobTemplate.spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: local-path-provisioner</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: local-path-provisioner</p>
<p>Namespace: local-path-storage</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: local-path-storage</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: local-path-provisioner-service-account</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: local-path-provisioner-service-account</p>
<p>Namespace: local-path-storage</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: controller</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: controller</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Data Destruction</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0007">C-0007</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[1]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[2]</p> <p>relatedObjects[1].rules[0].verbs[3]</p> <p>relatedObjects[1].rules[0].verbs[6]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[0].resources[0]</p> <p>relatedObjects[1].rules[0].verbs[2]</p> <p>relatedObjects[1].rules[0].verbs[3]</p> <p>relatedObjects[1].rules[0].verbs[6]</p> <p>relatedObjects[1].rules[0].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Access container service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: controller</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: controller</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Applications credentials in configuration files</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0012">C-0012</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].env[0].name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: speaker</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: speaker</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: speaker</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: DaemonSet</p>
<p>Name: speaker</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.4.1 Prefer using secrets as files over secrets as environment variables</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0207">C-0207</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].env[4].name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.capabilities.add</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.securityContext.runAsNonRoot=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Container hostPort</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0044">C-0044</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].ports[0].hostPort</p> <p>spec.template.spec.containers[0].ports[1].hostPort</p> <p>spec.template.spec.containers[0].ports[2].hostPort</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Insecure capabilities</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0046">C-0046</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.capabilities.add[0]</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">HostNetwork access</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0041">C-0041</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.hostNetwork</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: controller</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: controller</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: speaker</h3>
<p>ApiVersion: </p>
<p>Kind: ServiceAccount</p>
<p>Name: speaker</p>
<p>Namespace: metallb-system</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">List Kubernetes secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0015">C-0015</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].verbs[1]</p> <p>relatedObjects[1].rules[1].verbs[2]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.2 Minimize access to secrets</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0186">C-0186</a></td>
<td class="resourceRemediationCell"> <p>relatedObjects[1].rules[1].resources[0]</p> <p>relatedObjects[1].rules[1].verbs[0]</p> <p>relatedObjects[1].rules[1].verbs[1]</p> <p>relatedObjects[1].rules[1].verbs[2]</p> <p>relatedObjects[1].rules[1].apiGroups[0]</p> <p>relatedObjects[0].subjects[0]</p> <p>relatedObjects[0].roleRef.name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Access container service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0053">C-0053</a></td>
<td class="resourceRemediationCell"></td>
</tr>
</tbody>
</table>
</div>
<h3>Name: velero</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: velero</p>
<p>Namespace: velero</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Applications credentials in configuration files</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0012">C-0012</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].env[3].name</p> <p>spec.template.spec.containers[0].env[4].name</p> <p>spec.template.spec.containers[0].env[5].name</p> <p>spec.template.spec.containers[0].env[6].name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: minio-setup</h3>
<p>ApiVersion: batch/v1</p>
<p>Kind: Job</p>
<p>Name: minio-setup</p>
<p>Namespace: velero</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Image pull policy on latest tag</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0075">C-0075</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> <p>spec.template.spec.containers[0].imagePullPolicy</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: velero</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: velero</p>
<p>Namespace: velero</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: minio</h3>
<p>ApiVersion: apps/v1</p>
<p>Kind: Deployment</p>
<p>Name: minio</p>
<p>Namespace: velero</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Ingress and Egress blocked</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0030">C-0030</a></td>
<td class="resourceRemediationCell"></td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0210">C-0210</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile.type=RuntimeDefault</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Configured readiness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0018">C-0018</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].readinessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Configured liveness probe</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0056">C-0056</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].livenessProbe=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Image pull policy on latest tag</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0075">C-0075</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> <p>spec.template.spec.containers[0].imagePullPolicy</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Immutable container filesystem</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0017">C-0017</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources CPU limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0050">C-0050</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resources memory limit and request</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0004">C-0004</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">CIS-5.7.3 Apply Security Context to Your Pods and Containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0211">C-0211</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true</p> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=NET_RAW</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Applications credentials in configuration files</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0012">C-0012</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].env[1].name</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Images from allowed registry</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0078">C-0078</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].image</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">K8s common labels usage</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0077">C-0077</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Allow privilege escalation</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0016">C-0016</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Low</td>
<td class="resourceNameCell">Label usage for resources</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0076">C-0076</a></td>
<td class="resourceRemediationCell"> <p>metadata.labels=YOUR_VALUE</p> <p>spec.template.metadata.labels=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Non-root containers</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0013">C-0013</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.runAsNonRoot=true</p> <p>spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">High</td>
<td class="resourceNameCell">Resource limits</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0009">C-0009</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE</p> <p>spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CVE-2022-0492-cgroups-container-escape</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0086">C-0086</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.securityContext.runAsNonRoot=true</p> <p>spec.template.spec.securityContext.allowPrivilegeEscalation=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Linux hardening</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0055">C-0055</a></td>
<td class="resourceRemediationCell"> <p>spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE</p> <p>spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE</p> </td>
</tr>
</tbody>
</table>
</div>
<h3>Name: default</h3>
<p>ApiVersion: v1</p>
<p>Kind: ServiceAccount</p>
<p>Name: default</p>
<p>Namespace: velero</p>
<table>
<thead>
<tr>
<th class="resourceSeverityCell">Severity</th>
<th class="resourceNameCell">Name</th>
<th class="resourceURLCell">Docs</th>
<th class="resourceRemediationCell">Assistant Remediation</th>
</tr>
</thead>
<tbody>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.6 Ensure that Service Account Tokens are only mounted where necessary</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0190">C-0190</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">Automatic mapping of service account</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0034">C-0034</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
<tr>
<td class="resourceSeverityCell">Medium</td>
<td class="resourceNameCell">CIS-5.1.5 Ensure that default service accounts are not actively used</td>
<td class="resourceURLCell"><a href="https://hub.armosec.io/docs/c-0189">C-0189</a></td>
<td class="resourceRemediationCell"> <p>automountServiceAccountToken=false</p> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手