Skip to content

Commit

Permalink
updates policy docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@cesar-rodriguez
cesar-rodriguez committed Jan 15, 2021
1 parent eeab9fe commit 04d3c74
Showing 1 changed file with 54 additions and 56 deletions.
110 changes: 54 additions & 56 deletions docs/policies/k8s.md
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,53 @@

### kubernetes_service
| Category | Resource | Severity | Description | Reference ID |
| -------- | -------- | -------- | ----------- | ------------ |
| Network Security | json | MEDIUM | Restrict the use of externalIPs | AC-K8-NS-SE-M-0188 |
| Network Security | json | MEDIUM | Ensure that the Tiller Service (Helm v2) is deleted | AC-K8-NS-SE-M-0185 |
| Network Security | json | LOW | Nodeport service can expose the worker nodes as they have public interface | AC-K8-NS-SV-L-0132 |
| Network Security | json | MEDIUM | Vulnerable to CVE-2020-8554 | AC-K8-NS-SE-M-0188 |


### kubernetes_ingress
| Category | Resource | Severity | Description | Reference ID |
| -------- | -------- | -------- | ----------- | ------------ |
| Network Security | json | HIGH | TLS disabled can affect the confidentiality of the data in transit | AC-K8-NS-IN-H-0020 |


### kubernetes_pod
| Category | Resource | Severity | Description | Reference ID |
| -------- | -------- | -------- | ----------- | ------------ |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.15 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.1 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.14 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.6 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.13 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.12 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.7 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.4 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.11 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.8 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.9 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.10 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.5 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.2 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.3 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of privileged containers | accurics.kubernetes.IAM.16 |
| Network Security | json | MEDIUM | Containers Should Not Share the Host Network Namespace | AC-K8-NS-PO-M-0164 |
| Network Security | json | MEDIUM | Image without digest affects the integrity principle of image security | AC-K8-NS-PO-M-0133 |
| Identity and Access Management | json | HIGH | Minimize Admission of Root Containers | AC-K8-IA-PO-H-0168 |
| Operational Efficiency | json | Medium | CPU Request Not Set in config file. | AC-K8-OE-PK-M-0155 |
| Operational Efficiency | json | MEDIUM | Default Namespace Should Not be Used | AC-K8-OE-PO-M-0166 |
| Network Security | json | HIGH | Do Not Use CAP_SYS_ADMIN Linux Capability | AC-K8-NS-PO-H-0170 |
| Operational Efficiency | json | Medium | Memory Limits Not Set in config file. | AC-K8-OE-PK-M-0158 |
| Data Security | json | MEDIUM | Ensure That Tiller (Helm V2) Is Not Deployed | AC-K8-DS-PO-M-0177 |
| Operational Efficiency | json | LOW | No readiness probe will affect automatic recovery in case of unexpected errors | AC-K8-OE-PO-L-0130 |
| Identity and Access Management | json | MEDIUM | Default seccomp profile not enabled will make the container to make non-essential system calls | AC-K8-IA-PO-M-0141 |
| Identity and Access Management | json | MEDIUM | Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions | AC-K8-IA-PO-M-0140 |
| Network Security | json | HIGH | Prefer using secrets as files over secrets as environment variables | AC-K8-NS-PO-H-0117 |
| Network Security | json | MEDIUM | Containers Should Not Share Host IPC Namespace | AC-K8-NS-PO-M-0163 |
| Network Security | json | MEDIUM | Apply Security Context to Your Pods and Containers | AC-K8-NS-PO-M-0122 |
| Data Security | json | MEDIUM | Ensure Kubernetes Dashboard Is Not Deployed | AC-K8-DS-PO-M-0176 |
| Identity and Access Management | json | HIGH | Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem | AC-K8-IA-PO-H-0138 |
| Identity and Access Management | json | MEDIUM | Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host | AC-K8-IA-PO-M-0143 |
| Identity and Access Management | json | HIGH | Allowing the pod to make system level calls provide access to host/node sensitive information | AC-K8-IA-PO-H-0137 |
| Operational Efficiency | json | MEDIUM | AlwaysPullImages plugin is not set | AC-K8-OE-PK-M-0034 |
| Identity and Access Management | json | MEDIUM | Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s | AC-K8-IA-PO-M-0139 |
| Identity and Access Management | json | MEDIUM | AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats | AC-K8-IA-PO-M-0135 |
| Identity and Access Management | json | MEDIUM | Containers Should Not Share Host Process ID Namespace | AC-K8-IA-PO-M-0162 |
| Network Security | json | MEDIUM | Containers Should Run as a High UID to Avoid Host Conflict | AC-K8-NS-PO-M-0182 |
| Identity and Access Management | json | MEDIUM | Minimize the admission of containers with the NET_RAW capability | AC-K8-IA-PS-M-0112 |
| Operational Efficiency | json | LOW | No liveness probe will ensure there is no recovery in case of unexpected errors | AC-K8-OE-PO-L-0129 |
| Operational Efficiency | json | LOW | No tag or container image with :Latest tag makes difficult to rollback and track | AC-K8-OE-PO-L-0134 |
| Operational Efficiency | json | Medium | Memory Request Not Set in config file. | AC-K8-OE-PK-M-0157 |
| Cloud Assets Management | json | HIGH | Containers Should Not Run with AllowPrivilegeEscalation | AC-K8-CA-PO-H-0165 |
| Operational Efficiency | json | Medium | CPU Limits Not Set in config file. | AC-K8-OE-PK-M-0156 |
| Network Security | json | MEDIUM | Restrict Mounting Docker Socket in a Container | AC-K8-NS-PO-M-0171 |
| Identity and Access Management | json | MEDIUM | Ensure that Service Account Tokens are only mounted where necessary | AC-K8-IA-PO-M-0105 |
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.120 |
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.116 |
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.117 |
Expand All @@ -34,30 +64,7 @@
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.114 |
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.115 |
| Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.119 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.54 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.42 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.43 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.55 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.48 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.52 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.44 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.45 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.53 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.49 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.46 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.50 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.51 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.47 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.56 |
| Identity and Access Management | kubernetes | MEDIUM | Container's root filesystem is not read-only | accurics.kubernetes.IAM.41 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.19 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.23 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.22 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.18 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.24 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.17 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.21 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host IPC namespace | accurics.kubernetes.IAM.20 |
| Data Security | json | MEDIUM | Vulnerable to CVE-2020-8555 (affected version of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8,< v1.15.11 | AC-K8-DS-PO-M-0143 |
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.64 |
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.72 |
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.68 |
Expand All @@ -74,14 +81,6 @@
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.66 |
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.67 |
| Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.71 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.39 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.35 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.34 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.38 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.33 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.40 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.37 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host process ID namespace | accurics.kubernetes.IAM.36 |
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.81 |
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.78 |
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.74 |
Expand All @@ -98,14 +97,12 @@
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.76 |
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.77 |
| Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.82 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.25 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.29 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.28 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.32 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.27 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.31 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.30 |
| Identity and Access Management | kubernetes | MEDIUM | Minimize the admission of containers wishing to share the host network namespace | accurics.kubernetes.IAM.26 |


### kubernetes_role
| Category | Resource | Severity | Description | Reference ID |
| -------- | -------- | -------- | ----------- | ------------ |
| Identity and Access Management | json | HIGH | Ensure that default service accounts are not actively used | AC-K8-IA-RO-H-0104 |


### kubernetes_namespace
Expand All @@ -114,5 +111,6 @@
| Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.462 |
| Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.460 |
| Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.461 |
| Operational Efficiency | json | LOW | No owner for namespace affects the operations | AC-K8-OE-NS-L-0128 |


0 comments on commit 04d3c74

Please sign in to comment.