checkov report for Kubernetes Goat
To identify all of the 232 kubernetes configuration issues run checkov by Bridgecrew
https://twitter.com/BarakSchoster/status/1273170904894377985
check_id | file | resource | check_name | |
---|---|---|---|---|
0 | CKV_K8S_31 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Ensure that the seccomp profile is set to docker/default or runtime/default |
1 | CKV_K8S_40 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Containers should run as a high UID to avoid host conflict |
2 | CKV_K8S_29 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Apply security context to your pods and containers |
3 | CKV_K8S_38 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Ensure that Service Account Tokens are only mounted where necessary |
4 | CKV_K8S_23 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware | Minimize the admission of root containers |
5 | CKV_K8S_37 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Minimize the admission of containers with capabilities assigned |
6 | CKV_K8S_8 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Liveness Probe Should be Configured |
7 | CKV_K8S_12 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Memory requests should be set |
8 | CKV_K8S_20 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Containers should not run with allowPrivilegeEscalation |
9 | CKV_K8S_13 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Memory limits should be set |
10 | CKV_K8S_10 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | CPU requests should be set |
11 | CKV_K8S_22 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Use read-only filesystem for containers where possible |
12 | CKV_K8S_9 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Readiness Probe Should be Configured |
13 | CKV_K8S_28 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Minimize the admission of containers with the NET_RAW capability |
14 | CKV_K8S_30 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Apply security context to your pods and containers |
15 | CKV_K8S_14 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Image Tag should be fixed - not latest or blank |
16 | CKV_K8S_43 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | Image should use digest |
17 | CKV_K8S_11 | /scenarios/cache-store/deployment.yaml | Deployment.cache-store-deployment.secure-middleware (container 0) | CPU limits should be set |
18 | CKV_K8S_31 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
19 | CKV_K8S_40 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Containers should run as a high UID to avoid host conflict |
20 | CKV_K8S_29 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Apply security context to your pods and containers |
21 | CKV_K8S_38 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
22 | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | The default namespace should not be used |
23 | CKV_K8S_23 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default | Minimize the admission of root containers |
24 | CKV_K8S_21 | /scenarios/build-code/deployment.yaml | Service.build-code-service.default | The default namespace should not be used |
25 | CKV_K8S_37 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
26 | CKV_K8S_8 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Liveness Probe Should be Configured |
27 | CKV_K8S_12 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Memory requests should be set |
28 | CKV_K8S_20 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
29 | CKV_K8S_10 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | CPU requests should be set |
30 | CKV_K8S_22 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Use read-only filesystem for containers where possible |
31 | CKV_K8S_9 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Readiness Probe Should be Configured |
32 | CKV_K8S_28 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
33 | CKV_K8S_30 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Apply security context to your pods and containers |
34 | CKV_K8S_14 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
35 | CKV_K8S_43 | /scenarios/build-code/deployment.yaml | Deployment.build-code-deployment.default (container 0) | Image should use digest |
36 | CKV_K8S_31 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
37 | CKV_K8S_27 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Do not expose the docker daemon socket to containers |
38 | CKV_K8S_40 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should run as a high UID to avoid host conflict |
39 | CKV_K8S_19 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host network namespace |
40 | CKV_K8S_17 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host process ID namespace |
41 | CKV_K8S_18 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Containers should not share the host IPC namespace |
42 | CKV_K8S_38 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Ensure that Service Account Tokens are only mounted where necessary |
43 | CKV_K8S_21 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | The default namespace should not be used |
44 | CKV_K8S_23 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default | Minimize the admission of root containers |
45 | CKV_K8S_37 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with capabilities assigned |
46 | CKV_K8S_8 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Liveness Probe Should be Configured |
47 | CKV_K8S_20 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Containers should not run with allowPrivilegeEscalation |
48 | CKV_K8S_16 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Container should not be privileged |
49 | CKV_K8S_22 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Use read-only filesystem for containers where possible |
50 | CKV_K8S_9 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Readiness Probe Should be Configured |
51 | CKV_K8S_28 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
52 | CKV_K8S_25 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Minimize the admission of containers with added capability |
53 | CKV_K8S_14 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Image Tag should be fixed - not latest or blank |
54 | CKV_K8S_43 | /scenarios/docker-bench-security/deployment.yaml | DaemonSet.docker-bench-security.default (container 0) | Image should use digest |
55 | CKV_K8S_31 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
56 | CKV_K8S_40 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Containers should run as a high UID to avoid host conflict |
57 | CKV_K8S_29 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Apply security context to your pods and containers |
58 | CKV_K8S_38 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
59 | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | The default namespace should not be used |
60 | CKV_K8S_23 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default | Minimize the admission of root containers |
61 | CKV_K8S_21 | /scenarios/kubernetes-goat-home/deployment.yaml | Service.kubernetes-goat-home-service.default | The default namespace should not be used |
62 | CKV_K8S_37 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
63 | CKV_K8S_8 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Liveness Probe Should be Configured |
64 | CKV_K8S_12 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Memory requests should be set |
65 | CKV_K8S_20 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
66 | CKV_K8S_10 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | CPU requests should be set |
67 | CKV_K8S_22 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Use read-only filesystem for containers where possible |
68 | CKV_K8S_9 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Readiness Probe Should be Configured |
69 | CKV_K8S_28 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
70 | CKV_K8S_30 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Apply security context to your pods and containers |
71 | CKV_K8S_14 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
72 | CKV_K8S_43 | /scenarios/kubernetes-goat-home/deployment.yaml | Deployment.kubernetes-goat-home-deployment.default (container 0) | Image should use digest |
73 | CKV_K8S_31 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
74 | CKV_K8S_40 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Containers should run as a high UID to avoid host conflict |
75 | CKV_K8S_29 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Apply security context to your pods and containers |
76 | CKV_K8S_38 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Ensure that Service Account Tokens are only mounted where necessary |
77 | CKV_K8S_21 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | The default namespace should not be used |
78 | CKV_K8S_23 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default | Minimize the admission of root containers |
79 | CKV_K8S_37 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Minimize the admission of containers with capabilities assigned |
80 | CKV_K8S_12 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Memory requests should be set |
81 | CKV_K8S_20 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Containers should not run with allowPrivilegeEscalation |
82 | CKV_K8S_13 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Memory limits should be set |
83 | CKV_K8S_10 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | CPU requests should be set |
84 | CKV_K8S_22 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Use read-only filesystem for containers where possible |
85 | CKV_K8S_28 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
86 | CKV_K8S_30 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Apply security context to your pods and containers |
87 | CKV_K8S_14 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Image Tag should be fixed - not latest or blank |
88 | CKV_K8S_43 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | Image should use digest |
89 | CKV_K8S_11 | /scenarios/batch-check/job.yaml | Job.batch-check-job.default (container 0) | CPU limits should be set |
90 | CKV_K8S_31 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
91 | CKV_K8S_40 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Containers should run as a high UID to avoid host conflict |
92 | CKV_K8S_29 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Apply security context to your pods and containers |
93 | CKV_K8S_38 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
94 | CKV_K8S_21 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | The default namespace should not be used |
95 | CKV_K8S_23 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default | Minimize the admission of root containers |
96 | CKV_K8S_21 | /scenarios/hunger-check/deployment.yaml | Service.hunger-check-service.default | The default namespace should not be used |
97 | CKV_K8S_37 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
98 | CKV_K8S_8 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Liveness Probe Should be Configured |
99 | CKV_K8S_12 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Memory requests should be set |
100 | CKV_K8S_20 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
101 | CKV_K8S_13 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Memory limits should be set |
102 | CKV_K8S_10 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | CPU requests should be set |
103 | CKV_K8S_22 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Use read-only filesystem for containers where possible |
104 | CKV_K8S_9 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Readiness Probe Should be Configured |
105 | CKV_K8S_28 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
106 | CKV_K8S_30 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Apply security context to your pods and containers |
107 | CKV_K8S_14 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
108 | CKV_K8S_43 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | Image should use digest |
109 | CKV_K8S_11 | /scenarios/hunger-check/deployment.yaml | Deployment.hunger-check-deployment.default (container 0) | CPU limits should be set |
110 | CKV_K8S_31 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
111 | CKV_K8S_40 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Containers should run as a high UID to avoid host conflict |
112 | CKV_K8S_29 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Apply security context to your pods and containers |
113 | CKV_K8S_38 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
114 | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | The default namespace should not be used |
115 | CKV_K8S_23 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default | Minimize the admission of root containers |
116 | CKV_K8S_21 | /scenarios/poor-registry/deployment.yaml | Service.poor-registry-service.default | The default namespace should not be used |
117 | CKV_K8S_37 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
118 | CKV_K8S_8 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Liveness Probe Should be Configured |
119 | CKV_K8S_12 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Memory requests should be set |
120 | CKV_K8S_20 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
121 | CKV_K8S_10 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | CPU requests should be set |
122 | CKV_K8S_22 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Use read-only filesystem for containers where possible |
123 | CKV_K8S_9 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Readiness Probe Should be Configured |
124 | CKV_K8S_28 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
125 | CKV_K8S_30 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Apply security context to your pods and containers |
126 | CKV_K8S_14 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
127 | CKV_K8S_43 | /scenarios/poor-registry/deployment.yaml | Deployment.poor-registry-deployment.default (container 0) | Image should use digest |
128 | CKV_K8S_31 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
129 | CKV_K8S_40 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Containers should run as a high UID to avoid host conflict |
130 | CKV_K8S_17 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Containers should not share the host process ID namespace |
131 | CKV_K8S_29 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Apply security context to your pods and containers |
132 | CKV_K8S_38 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Ensure that Service Account Tokens are only mounted where necessary |
133 | CKV_K8S_21 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | The default namespace should not be used |
134 | CKV_K8S_23 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default | Minimize the admission of root containers |
135 | CKV_K8S_37 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Minimize the admission of containers with capabilities assigned |
136 | CKV_K8S_12 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Memory requests should be set |
137 | CKV_K8S_20 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Containers should not run with allowPrivilegeEscalation |
138 | CKV_K8S_13 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Memory limits should be set |
139 | CKV_K8S_10 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | CPU requests should be set |
140 | CKV_K8S_22 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Use read-only filesystem for containers where possible |
141 | CKV_K8S_28 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
142 | CKV_K8S_30 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Apply security context to your pods and containers |
143 | CKV_K8S_14 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Image Tag should be fixed - not latest or blank |
144 | CKV_K8S_43 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | Image should use digest |
145 | CKV_K8S_11 | /scenarios/kube-bench-security/master-job.yaml | Job.kube-bench-master.default (container 0) | CPU limits should be set |
146 | CKV_K8S_31 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
147 | CKV_K8S_40 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Containers should run as a high UID to avoid host conflict |
148 | CKV_K8S_17 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Containers should not share the host process ID namespace |
149 | CKV_K8S_29 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Apply security context to your pods and containers |
150 | CKV_K8S_38 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Ensure that Service Account Tokens are only mounted where necessary |
151 | CKV_K8S_21 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | The default namespace should not be used |
152 | CKV_K8S_23 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default | Minimize the admission of root containers |
153 | CKV_K8S_37 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Minimize the admission of containers with capabilities assigned |
154 | CKV_K8S_12 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Memory requests should be set |
155 | CKV_K8S_20 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Containers should not run with allowPrivilegeEscalation |
156 | CKV_K8S_13 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Memory limits should be set |
157 | CKV_K8S_10 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | CPU requests should be set |
158 | CKV_K8S_22 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Use read-only filesystem for containers where possible |
159 | CKV_K8S_28 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
160 | CKV_K8S_30 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Apply security context to your pods and containers |
161 | CKV_K8S_14 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Image Tag should be fixed - not latest or blank |
162 | CKV_K8S_43 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | Image should use digest |
163 | CKV_K8S_11 | /scenarios/kube-bench-security/node-job.yaml | Job.kube-bench-node.default (container 0) | CPU limits should be set |
164 | CKV_K8S_31 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
165 | CKV_K8S_27 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Do not expose the docker daemon socket to containers |
166 | CKV_K8S_40 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Containers should run as a high UID to avoid host conflict |
167 | CKV_K8S_29 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Apply security context to your pods and containers |
168 | CKV_K8S_38 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
169 | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | The default namespace should not be used |
170 | CKV_K8S_23 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default | Minimize the admission of root containers |
171 | CKV_K8S_21 | /scenarios/health-check/deployment.yaml | Service.health-check-service.default | The default namespace should not be used |
172 | CKV_K8S_37 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
173 | CKV_K8S_8 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Liveness Probe Should be Configured |
174 | CKV_K8S_12 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Memory requests should be set |
175 | CKV_K8S_20 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
176 | CKV_K8S_10 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | CPU requests should be set |
177 | CKV_K8S_16 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Container should not be privileged |
178 | CKV_K8S_22 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Use read-only filesystem for containers where possible |
179 | CKV_K8S_9 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Readiness Probe Should be Configured |
180 | CKV_K8S_28 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
181 | CKV_K8S_14 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
182 | CKV_K8S_43 | /scenarios/health-check/deployment.yaml | Deployment.health-check-deployment.default (container 0) | Image should use digest |
183 | CKV_K8S_31 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
184 | CKV_K8S_40 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Containers should run as a high UID to avoid host conflict |
185 | CKV_K8S_29 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Apply security context to your pods and containers |
186 | CKV_K8S_38 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
187 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | The default namespace should not be used |
188 | CKV_K8S_23 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default | Minimize the admission of root containers |
189 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.internal-proxy-api-service.default | The default namespace should not be used |
190 | CKV_K8S_21 | /scenarios/internal-proxy/deployment.yaml | Service.internal-proxy-info-app-service.default | The default namespace should not be used |
191 | CKV_K8S_37 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
192 | CKV_K8S_8 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Liveness Probe Should be Configured |
193 | CKV_K8S_20 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
194 | CKV_K8S_22 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Use read-only filesystem for containers where possible |
195 | CKV_K8S_9 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Readiness Probe Should be Configured |
196 | CKV_K8S_28 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
197 | CKV_K8S_30 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Apply security context to your pods and containers |
198 | CKV_K8S_14 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
199 | CKV_K8S_43 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 0) | Image should use digest |
200 | CKV_K8S_37 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Minimize the admission of containers with capabilities assigned |
201 | CKV_K8S_8 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Liveness Probe Should be Configured |
202 | CKV_K8S_20 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Containers should not run with allowPrivilegeEscalation |
203 | CKV_K8S_22 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Use read-only filesystem for containers where possible |
204 | CKV_K8S_9 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Readiness Probe Should be Configured |
205 | CKV_K8S_28 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Minimize the admission of containers with the NET_RAW capability |
206 | CKV_K8S_30 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Apply security context to your pods and containers |
207 | CKV_K8S_14 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Image Tag should be fixed - not latest or blank |
208 | CKV_K8S_43 | /scenarios/internal-proxy/deployment.yaml | Deployment.internal-proxy-deployment.default (container 1) | Image should use digest |
209 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Secret.goatvault.default | The default namespace should not be used |
210 | CKV_K8S_31 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Ensure that the seccomp profile is set to docker/default or runtime/default |
211 | CKV_K8S_40 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should run as a high UID to avoid host conflict |
212 | CKV_K8S_19 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host network namespace |
213 | CKV_K8S_17 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host process ID namespace |
214 | CKV_K8S_18 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Containers should not share the host IPC namespace |
215 | CKV_K8S_29 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Apply security context to your pods and containers |
216 | CKV_K8S_38 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Ensure that Service Account Tokens are only mounted where necessary |
217 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | The default namespace should not be used |
218 | CKV_K8S_23 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default | Minimize the admission of root containers |
219 | CKV_K8S_21 | /scenarios/system-monitor/deployment.yaml | Service.system-monitor-service.default | The default namespace should not be used |
220 | CKV_K8S_37 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Minimize the admission of containers with capabilities assigned |
221 | CKV_K8S_8 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Liveness Probe Should be Configured |
222 | CKV_K8S_12 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Memory requests should be set |
223 | CKV_K8S_20 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Containers should not run with allowPrivilegeEscalation |
224 | CKV_K8S_10 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | CPU requests should be set |
225 | CKV_K8S_16 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Container should not be privileged |
226 | CKV_K8S_22 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Use read-only filesystem for containers where possible |
227 | CKV_K8S_9 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Readiness Probe Should be Configured |
228 | CKV_K8S_35 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Prefer using secrets as files over secrets as environment variables |
229 | CKV_K8S_28 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Minimize the admission of containers with the NET_RAW capability |
230 | CKV_K8S_14 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Image Tag should be fixed - not latest or blank |
231 | CKV_K8S_43 | /scenarios/system-monitor/deployment.yaml | Deployment.system-monitor-deployment.default (container 0) | Image should use digest |