| K8S Dashboard Present |
k8s-dashboard-present |
Ensure the Kubernetes dashboard is not deployed |
| K8S Docker Daemon |
k8s-docker-daemon |
Do not expose the docker daemon socket to containers |
| K8S Host Namespace |
k8s-host-namespace |
Containers should not share the host namespaces |
| K8S Immutable Image |
k8s-immutable-image |
Image Tag should be fixed - not latest or blank |
| K8S Podsecuritypolicy Defined |
k8s-podsecuritypolicy-defined |
Ensure that if a Pod Security Policy exists, it enforces best practices. |
| K8S Rbac Wildcards |
k8s-rbac-wildcards |
Minimize wildcard use in Roles and ClusterRoles |
| K8S Resources Defined |
k8s-resources-defined |
CPU, Memory requests and limit should be set |
| K8S Securitycontext Capabilities |
k8s-securitycontext-capabilities |
Minimize the admission of containers with added capability |
| K8S Securitycontext Defined |
k8s-securitycontext-defined |
Apply security context to your pods and containers |
| K8S Securitycontext Privileged |
k8s-securitycontext-privileged |
Container should not be privileged |
| K8S Serviceaccount Default |
k8s-serviceaccount-default |
Ensure that default service accounts are not actively used |
| K8S Tiller Present |
k8s-tiller-present |
Ensure that Tiller (Helm v2) is not deployed |