Kubernetes

Do not admit containers wishing to share host process ID namespace

Do not admit privileged containers

Do not admit containers wishing to share host IPC namespace

Do not admit containers wishing to share host network namespace

Do not admit root containers

Do not admit containers with NET_RAW capability

Ensure liveness probe is configured

Ensure readiness probe is configured

Ensure CPU request is set

Ensure CPU limits are set

Ensure memory requests are set

Ensure memory limits are set

Ensure image tag is set to Fixed - not Latest or Blank

Ensure image pull policy is set to Always

Ensure container is not privileged

Ensure containers do not share host process ID namespace

Ensure containers do not share host IPC namespace

Ensure containers do not share the host network namespace

Ensure containers do not run with AllowPrivilegeEscalation

Ensure default namespace is not used

Use Read-Only filesystem for containers where possible

Minimize admission of root containers

Ensure containers with added capability are not allowed

Ensure admission of containers with added capability is minimized

Do not specify hostPort unless absolutely necessary

Limit mounting Docker socket daemon in a container

Ensure admission of containers with NET_RAW capability is minimized

Ensure securityContext is applied to pods and containers

Ensure seccomp is set to Docker/Default or Runtime/Default

Ensure seccomp profile is set to Docker/Default or Runtime/Default

Ensure Kubernetes dashboard is not deployed

Ensure Tiller (Helm V2) is not deployed

Use secrets as files instead of environment variables

Ensure admission of containers with capabilities assigned is limited

Ensure service account tokens are mounted where necessary

Ensure CAP_SYS_ADMIN Linux capability is not used

Ensure containers run with a high UID to avoid host conflict

Ensure default service accounts are not actively used

Ensure images are selected using a digest

Ensure Tiller (Helm V2) deployment is not accessible from within the cluster

Ensure Tiller (Helm v2) service is deleted

Ensure containers do not run with AllowPrivilegeEscalation

Ensure securityContext is applied to pods and containers

Minimise the admission of containers with capabilities assigned

Ensure default service accounts are not actively used

Ensure the --anonymous-auth argument is set to False

Ensure the --basic-auth-file argument is not Set

Ensure the --token-auth-file argument is not Set

Ensure the --kubelet-https argument is set to True

Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately

Ensure the --kubelet-certificate-authority argument is set appropriately

Ensure the --authorization-mode argument is not set to AlwaysAllow

Ensure the --authorization-mode argument includes node

Ensure the --authorization-mode argument includes RBAC

Ensure the admission control plugin EventRateLimit is set

Ensure the admission control plugin AlwaysAdmit is not set

Ensure the admission control plugin AlwaysPullImages is set

Ensure the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

Ensure the admission control plugin ServiceAccount is set

Ensure the admission control plugin NamespaceLifecycle is set

Ensure the admission control plugin PodSecurityPolicy is set

Ensure the admission control plugin NodeRestriction is set

Ensure the --insecure-bind-address argument is not set

Ensure the --insecure-port argument is set to 0

Ensure the --secure-port argument is not set to 0

Ensure the --profiling argument is set to False

Ensure the --audit-log-path argument is set

Ensure the --audit-log-maxage argument is set to 30 or appropriately

Ensure the --audit-log-maxbackup argument is set to 10 or appropriately

Ensure the --audit-log-maxsize argument is set to 100 or appropriately

Ensure the --request-timeout argument is set appropriately

Ensure the --service-account-lookup argument is set to True

Ensure the --service-account-key-file argument is set appropriately

Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately

Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately

Ensure Kubelet only uses strong cryptographic ciphers

Ensure the --etcd-cafile argument is set appropriately

Ensure encryption providers are appropriately configured

Ensure the API server makes use of strong cryptographic ciphers

Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately

Ensure the --profiling argument for controller managers is set to False

Ensure the --use-service-account-credentials argument for controller managers is set to True

Ensure the --service-account-private-key-file argument for controller managers is set appropriately

Ensure the --root-ca-file argument for controller managers is set appropriately

Ensure the RotateKubeletServerCertificate argument for controller managers is set to True

Ensure the --bind-address argument for controller managers is set to 127.0.0.1

Ensure the --profiling argument is set to False

Ensure the --bind-address argument is set to 127.0.0.1

Ensure the --cert-file and --key-file arguments are set appropriately

Ensure the --client-cert-auth argument is set to True

Ensure the --auto-tls argument is not set to True

Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately

Ensure the --peer-client-cert-auth argument is set to True

Ensure the --peer-auto-tls argument is not set to True

Ensure the --anonymous-auth argument is set to False

Ensure the --authorization-mode argument is not set to AlwaysAllow

Ensure the --client-ca-file argument for API Servers is set appropriately

Ensure the --read-only-port argument is set to 0

Ensure the --streaming-connection-idle-timeout argument is not set to 0

Ensure the --protect-kernel-defaults argument is set to True

Ensure the --make-iptables-util-chains argument is set to True

Ensure the --hostname-override argument is not set

Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture

Ensure --tls-cert-file and --tls-private-key-file arguments are set appropriately

Ensure the --rotate-certificates argument is not set to false

Ensure the RotateKubeletServerCertificate argument for kubelets is set to True

Ensure minimized wildcard use in Roles and ClusterRoles

RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding

Granting create permissions to nodes/proxy or pods/exec sub resources allows potential privilege escalation

No ServiceAccount/Node should have impersonate permissions for groups/users/service-accounts

ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

No ServiceAccount/Node should be able to read all secrets