KubernetesOverview
Statement
All CIS Benchmarks focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like:
• Monitoring the base operating system for vulnerabilities and quickly updating with the latest security patches
• Monitoring applications and libraries for vulnerabilities and quickly updating with the latest security patches In the end, the CIS Benchmarks are designed as a key component of a comprehensive cybersecurity program.
This framework provides prescriptive guidance for establishing a secure configuration posture for Kubernetes v1.27.
Special note
The set of configuration files mentioned anywhere throughout this benchmark document may vary according to the deployment tool and the platform. Any reference to a configuration file should be modified according to the actual configuration files used on the specific deployment.
For example, the configuration file for the Kubernetes API server installed by the kubeadm tool may be found in /etc/kubernetes/manifests/kube-apiserver.yaml, but the same file may be called /etc/kubernetes/manifests/kube-apiserver.manifest when installed by kops or kubespray.
Recommendations
1 Control plane configurations
This section consists of security recommendations for the direct configuration of Kubernetes control plane processes. These recommendations may not be directly applicable for cluster operators in environments where these components are managed by a 3rd party.
4 Worker Nodes
This section consists of security recommendations for the components that run on Kubernetes worker nodes. Note that these components may also run on Kubernetes master nodes, so the recommendations in this section should be applied to master nodes as well as worker nodes where the master nodes make use of these components.
5 Policies
This section contains recommendations for various Kubernetes policies which are important to the security of the environment.
Procedures and mapped controls
1.2 API Server
This section contains recommendations relating to API server configuration flags.
1.3 Controller Manager
This section contains recommendations relating to Controller Manager configuration flags.
1.4 Scheduler
This section contains recommendations relating to Scheduler configuration flags.
4.2 Kubelet
This section contains recommendations for kubelet configuration.
Kubelet settings may be configured using arguments on the running kubelet executable, or they may be taken from a Kubelet config file. If both are specified, the executable argument takes precedence.
To find the Kubelet config file, run the following command:
ps -ef | grep kubelet | grep config
If the --config argument is present, this gives the location of the Kubelet config file. This config file could be in JSON or YAML format depending on your distribution.
5.1 RBAC and Service Accounts
Mapped controls
Ensure that the cluster-admin role is only used where required
Minimize access to secrets
Minimize wildcard use in Roles and ClusterRoles
Minimize access to create pods
Ensure that default service accounts are not actively used
Ensure that Service Account Tokens are only mounted where necessary
Limit the use of bind, impersonate and escalate permissions
5.2 Pod Security Standards
Pod Security Standards (PSS) are recommendations for securing deployed workloads to reduce the risks of container breakout. There are a number of ways if implementing PSS, including the built-in Pod Security Admission controller, or external policy control systems which integrate with Kubernetes via validating and mutating webhooks.
Mapped controls
Minimize the admission of privileged containers
Minimize the admission of containers wishing to share the host process ID namespace
Minimize the admission of containers wishing to share the host network namespace
Minimize the admission of containers with allowPrivilegeEscalation
Minimize the admission of containers which use HostPorts
5.3 Network Policies and CNI
5.4 Secrets Management
5.7 General Policies
Query logic
These are the stored checks tied to this framework.
Kubernetes RoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: "cluster-admin"}) {
roleBindings(where: {subjects_SOME: {name_NOT: ""}}) {
...AssetFragment
}
}
}Kubernetes ClusterRoleBindings that use cluster-admin role
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(where: {internalName: "cluster-admin"}) {
clusterRoleBindings(where: {subjects_SOME: {name_NOT: "system:masters"}}) {
...AssetFragment
}
}
}Kubernetes RoleBindings to Roles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles that have access to secrets
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "get" }
{ verbs_INCLUDES: "list" }
{ verbs_INCLUDES: "watch" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "secrets" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes Roles with wildcard rules
Connectors
Covered asset types
Expected check: eq []
{
roles (where: {rules_SOME: {AND: [{verbs_INCLUDES: "*"}, {resources_INCLUDES: "*"}, {OR: [{apiGroup_INCLUDES: ""}, {apiGroup_INCLUDES: "*"}]}]}}){
...AssetFragment
}
}Kubernetes ClusterRoles with wildcard rules
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles (where: {rules_SOME: {AND: [{verbs_INCLUDES: "*"}, {resources_INCLUDES: "*"}, {OR: [{apiGroup_INCLUDES: ""}, {apiGroup_INCLUDES: "*"}]}]}}){
...AssetFragment
}
}Kubernetes RoleBindings to Roles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles that can create pods
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "create" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "pods" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes default Service Accounts that automatically mount
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: { internalName: "default", automountServiceAccountToken: true }
) {
...AssetFragment
}
}
Kubernetes RoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
roleBindingSubjects_SOME: { roleBinding: { idFromProvider_NOT: "" } }
}
) {
roleBindingSubjects {
roleBinding {
...AssetFragment
}
}
}
}
Kubernetes ClusterRoleBindings bound to default Service Accounts
Connectors
Covered asset types
Expected check: eq []
{
serviceAccounts(
where: {
internalName: "default"
clusterRoleBindingSubjects_SOME: {
clusterRoleBindings: { idFromProvider_NOT: "" }
}
}
) {
clusterRoleBindingSubjects {
clusterRoleBindings {
...AssetFragment
}
}
}
}
Kubernetes CronJobs pod template which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Jobs pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes Deployments pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes ReplicaSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets pod templates which automounts service accounts
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
isAutomountServiceAccountTokenSet: true
automountServiceAccountToken: true
}
}
) {
...AssetFragment
}
}Kubernetes RoleBindings to Roles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Minimize the admission of privileged containers (Pod)
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { containers_SOME: { securityContext: { privileged: true } NOT: { namespace: "kube-system" } } }) {
...AssetFragment
}
}Check there are restrictions on the creation of hostPID pods
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { hostPID: true NOT: { namespace: "kube-system" } }) {
...AssetFragment
}
}Check there are restrictions on the creation of hostNetwork containers
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { hostNetwork: true NOT: { namespace: "kube-system" } }) {
...AssetFragment
}
}Minimize the admission of containers with allowPrivilegeEscalation (Pod)
Connectors
Covered asset types
Expected check: eq []
{
pods(where:{containers_SOME:{securityContext:{allowPrivilegeEscalation: true }}}){
...AssetFragment
}
}Minimize the admission of containers which use HostPorts (Pod)
Connectors
Covered asset types
Expected check: eq []
{
pods(where: { containers_SOME: { ports_SOME: { hostPort_GT: 0 } NOT: { namespace: "kube-system" } } }) {
...AssetFragment
}
}Kubernetes namespaces without network policies
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {networkPolicies: null}) {
...AssetFragment
}
}Check if CronJobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Jobs templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if DaemonSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if Deployments templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if ReplicaSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Check if StatefulSets templates have secrets in environment variables
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
}
) {
...AssetFragment
}
}
Kubernetes Deployments with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes Jobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with templates that use Kubernetes Secrets
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
OR: [
{
containersTemplates_SOME: {
env_SOME: { isValueFromSet: true, isSecretKeySelectorSet: true }
}
}
{ secretVolumes_NOT: [] }
]
}
}
) {
...AssetFragment
}
}
Kubernetes Deployments with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with ContainersTemplates that have permissive security context
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes StatefulSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Deployments PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
deployments(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs PodTemplates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs templates with permissive security context
Connectors
Covered asset types
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes ConfigMaps in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
configMaps (where: {internalName_NOT: "kube-root-ca.crt"}){
...AssetFragment
}
}
}Kubernetes Endpoints in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
endpoints (where: {internalName_NOT: "kubernetes"}){
...AssetFragment
}
}
}Kubernetes PersistentVolumeClaims in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
persistentVolumeClaims{
...AssetFragment
}
}
}Kubernetes ServiceAccounts in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
serviceAccounts(where: {internalName_NOT: "default"}) {
...AssetFragment
}
}
}Kubernetes Services in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
services(where: {internalName_NOT: "kubernetes"}) {
...AssetFragment
}
}
}
Kubernetes DaemonSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
daemonSets {
...AssetFragment
}
}
}Kubernetes Deployments in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
deployments {
...AssetFragment
}
}
}Kubernetes ReplicaSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
replicaSets(where: {deploymentName: ""}) {
...AssetFragment
}
}
}
Kubernetes StatefulSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
statefulSets {
...AssetFragment
}
}
}
Kubernetes Ingresses in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
ingresses {
...AssetFragment
}
}
}
Kubernetes NetworkPolicies in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
networkPolicies {
...AssetFragment
}
}
}Kubernetes RoleBindings in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
roleBindings {
...AssetFragment
}
}
}Kubernetes Roles in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
roles {
...AssetFragment
}
}
}
Kubernetes CronJobs in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
cronJobs {
...AssetFragment
}
}
}
Kubernetes Jobs in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
jobs(where: { cronJobName: "" }) {
...AssetFragment
}
}
}
