Kubernetes
Do not admit containers wishing to share host process ID namespace
Do not admit privileged containers
Do not admit containers wishing to share host IPC namespace
Do not admit containers wishing to share host network namespace
Do not admit containers with NET_RAW capability
Ensure liveness probe is configured
Ensure readiness probe is configured
Ensure memory requests are set
Ensure image tag is set to Fixed - not Latest or Blank
Ensure image pull policy is set to Always
Ensure container is not privileged
Ensure containers do not share host process ID namespace
Ensure containers do not share host IPC namespace
Ensure containers do not share the host network namespace
Ensure containers do not run with AllowPrivilegeEscalation
Ensure default namespace is not used
Use Read-Only filesystem for containers where possible
Minimize admission of root containers
Ensure containers with added capability are not allowed
Ensure admission of containers with added capability is minimized
Do not specify hostPort unless absolutely necessary
Limit mounting Docker socket daemon in a container
Ensure admission of containers with NET_RAW capability is minimized
Ensure securityContext is applied to pods and containers
Ensure seccomp is set to Docker/Default or Runtime/Default
Ensure seccomp profile is set to Docker/Default or Runtime/Default
Ensure Kubernetes dashboard is not deployed
Ensure Tiller (Helm V2) is not deployed
Use secrets as files instead of environment variables
Ensure admission of containers with capabilities assigned is limited
Ensure service account tokens are mounted where necessary
Ensure CAP_SYS_ADMIN Linux capability is not used
Ensure containers run with a high UID to avoid host conflict
Ensure default service accounts are not actively used
Ensure images are selected using a digest
Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Ensure Tiller (Helm v2) service is deleted
Ensure containers do not run with AllowPrivilegeEscalation
Ensure securityContext is applied to pods and containers
Minimise the admission of containers with capabilities assigned
Ensure default service accounts are not actively used
Ensure the --anonymous-auth argument is set to False
Ensure the --basic-auth-file argument is not Set
Ensure the --token-auth-file argument is not Set
Ensure the --kubelet-https argument is set to True
Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Ensure the --kubelet-certificate-authority argument is set appropriately
Ensure the --authorization-mode argument is not set to AlwaysAllow
Ensure the --authorization-mode argument includes node
Ensure the --authorization-mode argument includes RBAC
Ensure the admission control plugin EventRateLimit is set
Ensure the admission control plugin AlwaysAdmit is not set
Ensure the admission control plugin AlwaysPullImages is set
Ensure the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Ensure the admission control plugin ServiceAccount is set
Ensure the admission control plugin NamespaceLifecycle is set
Ensure the admission control plugin PodSecurityPolicy is set
Ensure the admission control plugin NodeRestriction is set
Ensure the --insecure-bind-address argument is not set
Ensure the --insecure-port argument is set to 0
Ensure the --secure-port argument is not set to 0
Ensure the --profiling argument is set to False
Ensure the --audit-log-path argument is set
Ensure the --audit-log-maxage argument is set to 30 or appropriately
Ensure the --audit-log-maxbackup argument is set to 10 or appropriately
Ensure the --audit-log-maxsize argument is set to 100 or appropriately
Ensure the --request-timeout argument is set appropriately
Ensure the --service-account-lookup argument is set to True
Ensure the --service-account-key-file argument is set appropriately
Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately
Ensure Kubelet only uses strong cryptographic ciphers
Ensure the --etcd-cafile argument is set appropriately
Ensure encryption providers are appropriately configured
Ensure the API server makes use of strong cryptographic ciphers
Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
Ensure the --profiling argument for controller managers is set to False
Ensure the --use-service-account-credentials argument for controller managers is set to True
Ensure the --service-account-private-key-file argument for controller managers is set appropriately
Ensure the --root-ca-file argument for controller managers is set appropriately
Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
Ensure the --bind-address argument for controller managers is set to 127.0.0.1
Ensure the --profiling argument is set to False
Ensure the --bind-address argument is set to 127.0.0.1
Ensure the --cert-file and --key-file arguments are set appropriately
Ensure the --client-cert-auth argument is set to True
Ensure the --auto-tls argument is not set to True
Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
Ensure the --peer-client-cert-auth argument is set to True
Ensure the --peer-auto-tls argument is not set to True
Ensure the --anonymous-auth argument is set to False
Ensure the --authorization-mode argument is not set to AlwaysAllow
Ensure the --client-ca-file argument for API Servers is set appropriately
Ensure the --read-only-port argument is set to 0
Ensure the --streaming-connection-idle-timeout argument is not set to 0
Ensure the --protect-kernel-defaults argument is set to True
Ensure the --make-iptables-util-chains argument is set to True
Ensure the --hostname-override argument is not set
Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
Ensure --tls-cert-file and --tls-private-key-file arguments are set appropriately
Ensure the --rotate-certificates argument is not set to false
Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
Ensure minimized wildcard use in Roles and ClusterRoles
RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
No ServiceAccount/Node should have impersonate
permissions for groups/users/service-accounts