checkov report for Kubernetes Goat
To identify all of the 232 kubernetes configuration issues run checkov by Bridgecrew
https://twitter.com/BarakSchoster/status/1273170904894377985
| check_id | file | resource | check_name | |
|---|---|---|---|---|
| 0 | CKV_K8S_31 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 1 | CKV_K8S_40 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Containers should run as a high UID to avoid host conflict |
| 2 | CKV_K8S_29 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Apply security context to your pods and containers |
| 3 | CKV_K8S_38 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Ensure that Service Account Tokens are only mounted where necessary |
| 4 | CKV_K8S_23 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Minimize the admission of root containers |
| 5 | CKV_K8S_37 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Minimize the admission of containers with capabilities assigned |
| 6 | CKV_K8S_8 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Liveness Probe Should be Configured |
| 7 | CKV_K8S_12 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Memory requests should be set |
| 8 | CKV_K8S_20 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Containers should not run with allowPrivilegeEscalation |
| 9 | CKV_K8S_13 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Memory limits should be set |
| 10 | CKV_K8S_10 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | CPU requests should be set |
| 11 | CKV_K8S_22 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Use read-only filesystem for containers where possible |
| 12 | CKV_K8S_9 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Readiness Probe Should be Configured |
| 13 | CKV_K8S_28 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 14 | CKV_K8S_30 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Apply security context to your pods and containers |
| 15 | CKV_K8S_14 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Image Tag should be fixed - not latest or blank |
| 16 | CKV_K8S_43 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Image should use digest |
| 17 | CKV_K8S_11 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | CPU limits should be set |
| 18 | CKV_K8S_31 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 19 | CKV_K8S_40 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Containers should run as a high UID to avoid host conflict |
| 20 | CKV_K8S_29 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Apply security context to your pods and containers |
| 21 | CKV_K8S_38 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 22 | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | The default namespace should not be used |
| 23 | CKV_K8S_23 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Minimize the admission of root containers |
| 24 | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Service.build-code-service.default | The default namespace should not be used |
| 25 | CKV_K8S_37 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 26 | CKV_K8S_8 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Liveness Probe Should be Configured |
| 27 | CKV_K8S_12 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Memory requests should be set |
| 28 | CKV_K8S_20 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 29 | CKV_K8S_10 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | CPU requests should be set |
| 30 | CKV_K8S_22 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 31 | CKV_K8S_9 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Readiness Probe Should be Configured |
| 32 | CKV_K8S_28 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 33 | CKV_K8S_30 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Apply security context to your pods and containers |
| 34 | CKV_K8S_14 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 35 | CKV_K8S_43 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Image should use digest |
| 36 | CKV_K8S_31 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 37 | CKV_K8S_27 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Do not expose the docker daemon socket to containers |
| 38 | CKV_K8S_40 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should run as a high UID to avoid host conflict |
| 39 | CKV_K8S_19 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host network namespace |
| 40 | CKV_K8S_17 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host process ID namespace |
| 41 | CKV_K8S_18 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host IPC namespace |
| 42 | CKV_K8S_38 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Ensure that Service Account Tokens are only mounted where necessary |
| 43 | CKV_K8S_21 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | The default namespace should not be used |
| 44 | CKV_K8S_23 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Minimize the admission of root containers |
| 45 | CKV_K8S_37 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 46 | CKV_K8S_8 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Liveness Probe Should be Configured |
| 47 | CKV_K8S_20 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 48 | CKV_K8S_16 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Container should not be privileged |
| 49 | CKV_K8S_22 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Use read-only filesystem for containers where possible |
| 50 | CKV_K8S_9 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Readiness Probe Should be Configured |
| 51 | CKV_K8S_28 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 52 | CKV_K8S_25 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with added capability |
| 53 | CKV_K8S_14 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Image Tag should be fixed - not latest or blank |
| 54 | CKV_K8S_43 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Image should use digest |
| 55 | CKV_K8S_31 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 56 | CKV_K8S_40 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Containers should run as a high UID to avoid host conflict |
| 57 | CKV_K8S_29 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Apply security context to your pods and containers |
| 58 | CKV_K8S_38 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 59 | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | The default namespace should not be used |
| 60 | CKV_K8S_23 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Minimize the admission of root containers |
| 61 | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Service.kubernetes-goat-home-service.default | The default namespace should not be used |
| 62 | CKV_K8S_37 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 63 | CKV_K8S_8 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Liveness Probe Should be Configured |
| 64 | CKV_K8S_12 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Memory requests should be set |
| 65 | CKV_K8S_20 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 66 | CKV_K8S_10 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | CPU requests should be set |
| 67 | CKV_K8S_22 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 68 | CKV_K8S_9 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Readiness Probe Should be Configured |
| 69 | CKV_K8S_28 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 70 | CKV_K8S_30 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Apply security context to your pods and containers |
| 71 | CKV_K8S_14 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 72 | CKV_K8S_43 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Image should use digest |
| 73 | CKV_K8S_31 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 74 | CKV_K8S_40 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Containers should run as a high UID to avoid host conflict |
| 75 | CKV_K8S_29 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Apply security context to your pods and containers |
| 76 | CKV_K8S_38 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Ensure that Service Account Tokens are only mounted where necessary |
| 77 | CKV_K8S_21 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | The default namespace should not be used |
| 78 | CKV_K8S_23 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Minimize the admission of root containers |
| 79 | CKV_K8S_37 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 80 | CKV_K8S_12 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Memory requests should be set |
| 81 | CKV_K8S_20 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 82 | CKV_K8S_13 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Memory limits should be set |
| 83 | CKV_K8S_10 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | CPU requests should be set |
| 84 | CKV_K8S_22 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Use read-only filesystem for containers where possible |
| 85 | CKV_K8S_28 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 86 | CKV_K8S_30 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Apply security context to your pods and containers |
| 87 | CKV_K8S_14 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Image Tag should be fixed - not latest or blank |
| 88 | CKV_K8S_43 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Image should use digest |
| 89 | CKV_K8S_11 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | CPU limits should be set |
| 90 | CKV_K8S_31 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 91 | CKV_K8S_40 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Containers should run as a high UID to avoid host conflict |
| 92 | CKV_K8S_29 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Apply security context to your pods and containers |
| 93 | CKV_K8S_38 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 94 | CKV_K8S_21 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | The default namespace should not be used |
| 95 | CKV_K8S_23 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Minimize the admission of root containers |
| 96 | CKV_K8S_21 | /scenarios/hunger-check/deployment.yaml | Service.hunger-check-service.default | The default namespace should not be used |
| 97 | CKV_K8S_37 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 98 | CKV_K8S_8 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Liveness Probe Should be Configured |
| 99 | CKV_K8S_12 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Memory requests should be set |
| 100 | CKV_K8S_20 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 101 | CKV_K8S_13 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Memory limits should be set |
| 102 | CKV_K8S_10 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | CPU requests should be set |
| 103 | CKV_K8S_22 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 104 | CKV_K8S_9 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Readiness Probe Should be Configured |
| 105 | CKV_K8S_28 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 106 | CKV_K8S_30 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Apply security context to your pods and containers |
| 107 | CKV_K8S_14 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 108 | CKV_K8S_43 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Image should use digest |
| 109 | CKV_K8S_11 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | CPU limits should be set |
| 110 | CKV_K8S_31 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 111 | CKV_K8S_40 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Containers should run as a high UID to avoid host conflict |
| 112 | CKV_K8S_29 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Apply security context to your pods and containers |
| 113 | CKV_K8S_38 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 114 | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | The default namespace should not be used |
| 115 | CKV_K8S_23 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Minimize the admission of root containers |
| 116 | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Service.poor-registry-service.default | The default namespace should not be used |
| 117 | CKV_K8S_37 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 118 | CKV_K8S_8 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Liveness Probe Should be Configured |
| 119 | CKV_K8S_12 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Memory requests should be set |
| 120 | CKV_K8S_20 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 121 | CKV_K8S_10 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | CPU requests should be set |
| 122 | CKV_K8S_22 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 123 | CKV_K8S_9 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Readiness Probe Should be Configured |
| 124 | CKV_K8S_28 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 125 | CKV_K8S_30 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Apply security context to your pods and containers |
| 126 | CKV_K8S_14 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 127 | CKV_K8S_43 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Image should use digest |
| 128 | CKV_K8S_31 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 129 | CKV_K8S_40 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Containers should run as a high UID to avoid host conflict |
| 130 | CKV_K8S_17 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Containers should not share the host process ID namespace |
| 131 | CKV_K8S_29 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Apply security context to your pods and containers |
| 132 | CKV_K8S_38 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Ensure that Service Account Tokens are only mounted where necessary |
| 133 | CKV_K8S_21 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | The default namespace should not be used |
| 134 | CKV_K8S_23 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Minimize the admission of root containers |
| 135 | CKV_K8S_37 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 136 | CKV_K8S_12 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Memory requests should be set |
| 137 | CKV_K8S_20 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 138 | CKV_K8S_13 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Memory limits should be set |
| 139 | CKV_K8S_10 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | CPU requests should be set |
| 140 | CKV_K8S_22 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Use read-only filesystem for containers where possible |
| 141 | CKV_K8S_28 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 142 | CKV_K8S_30 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Apply security context to your pods and containers |
| 143 | CKV_K8S_14 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Image Tag should be fixed - not latest or blank |
| 144 | CKV_K8S_43 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Image should use digest |
| 145 | CKV_K8S_11 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | CPU limits should be set |
| 146 | CKV_K8S_31 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 147 | CKV_K8S_40 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Containers should run as a high UID to avoid host conflict |
| 148 | CKV_K8S_17 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Containers should not share the host process ID namespace |
| 149 | CKV_K8S_29 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Apply security context to your pods and containers |
| 150 | CKV_K8S_38 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Ensure that Service Account Tokens are only mounted where necessary |
| 151 | CKV_K8S_21 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | The default namespace should not be used |
| 152 | CKV_K8S_23 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Minimize the admission of root containers |
| 153 | CKV_K8S_37 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 154 | CKV_K8S_12 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Memory requests should be set |
| 155 | CKV_K8S_20 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 156 | CKV_K8S_13 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Memory limits should be set |
| 157 | CKV_K8S_10 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | CPU requests should be set |
| 158 | CKV_K8S_22 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Use read-only filesystem for containers where possible |
| 159 | CKV_K8S_28 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 160 | CKV_K8S_30 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Apply security context to your pods and containers |
| 161 | CKV_K8S_14 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Image Tag should be fixed - not latest or blank |
| 162 | CKV_K8S_43 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Image should use digest |
| 163 | CKV_K8S_11 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | CPU limits should be set |
| 164 | CKV_K8S_31 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 165 | CKV_K8S_27 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Do not expose the docker daemon socket to containers |
| 166 | CKV_K8S_40 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Containers should run as a high UID to avoid host conflict |
| 167 | CKV_K8S_29 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Apply security context to your pods and containers |
| 168 | CKV_K8S_38 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 169 | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | The default namespace should not be used |
| 170 | CKV_K8S_23 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Minimize the admission of root containers |
| 171 | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Service.health-check-service.default | The default namespace should not be used |
| 172 | CKV_K8S_37 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 173 | CKV_K8S_8 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Liveness Probe Should be Configured |
| 174 | CKV_K8S_12 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Memory requests should be set |
| 175 | CKV_K8S_20 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 176 | CKV_K8S_10 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | CPU requests should be set |
| 177 | CKV_K8S_16 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Container should not be privileged |
| 178 | CKV_K8S_22 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 179 | CKV_K8S_9 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Readiness Probe Should be Configured |
| 180 | CKV_K8S_28 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 181 | CKV_K8S_14 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 182 | CKV_K8S_43 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Image should use digest |
| 183 | CKV_K8S_31 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 184 | CKV_K8S_40 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Containers should run as a high UID to avoid host conflict |
| 185 | CKV_K8S_29 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Apply security context to your pods and containers |
| 186 | CKV_K8S_38 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 187 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | The default namespace should not be used |
| 188 | CKV_K8S_23 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Minimize the admission of root containers |
| 189 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.internal-proxy-api-service.default | The default namespace should not be used |
| 190 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.internal-proxy-info-app-service.default | The default namespace should not be used |
| 191 | CKV_K8S_37 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 192 | CKV_K8S_8 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Liveness Probe Should be Configured |
| 193 | CKV_K8S_20 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 194 | CKV_K8S_22 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 195 | CKV_K8S_9 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Readiness Probe Should be Configured |
| 196 | CKV_K8S_28 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 197 | CKV_K8S_30 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Apply security context to your pods and containers |
| 198 | CKV_K8S_14 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 199 | CKV_K8S_43 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Image should use digest |
| 200 | CKV_K8S_37 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Minimize the admission of containers with capabilities assigned |
| 201 | CKV_K8S_8 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Liveness Probe Should be Configured |
| 202 | CKV_K8S_20 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Containers should not run with allowPrivilegeEscalation |
| 203 | CKV_K8S_22 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Use read-only filesystem for containers where possible |
| 204 | CKV_K8S_9 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Readiness Probe Should be Configured |
| 205 | CKV_K8S_28 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Minimize the admission of containers with the NET_RAW capability |
| 206 | CKV_K8S_30 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Apply security context to your pods and containers |
| 207 | CKV_K8S_14 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Image Tag should be fixed - not latest or blank |
| 208 | CKV_K8S_43 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Image should use digest |
| 209 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Secret.goatvault.default | The default namespace should not be used |
| 210 | CKV_K8S_31 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
| 211 | CKV_K8S_40 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should run as a high UID to avoid host conflict |
| 212 | CKV_K8S_19 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host network namespace |
| 213 | CKV_K8S_17 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host process ID namespace |
| 214 | CKV_K8S_18 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host IPC namespace |
| 215 | CKV_K8S_29 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Apply security context to your pods and containers |
| 216 | CKV_K8S_38 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
| 217 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | The default namespace should not be used |
| 218 | CKV_K8S_23 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Minimize the admission of root containers |
| 219 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Service.system-monitor-service.default | The default namespace should not be used |
| 220 | CKV_K8S_37 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
| 221 | CKV_K8S_8 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Liveness Probe Should be Configured |
| 222 | CKV_K8S_12 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Memory requests should be set |
| 223 | CKV_K8S_20 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
| 224 | CKV_K8S_10 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | CPU requests should be set |
| 225 | CKV_K8S_16 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Container should not be privileged |
| 226 | CKV_K8S_22 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Use read-only filesystem for containers where possible |
| 227 | CKV_K8S_9 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Readiness Probe Should be Configured |
| 228 | CKV_K8S_35 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Prefer using secrets as files over secrets as environment variables |
| 229 | CKV_K8S_28 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
| 230 | CKV_K8S_14 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
| 231 | CKV_K8S_43 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Image should use digest |