Created
March 13, 2025 20:14
-
-
Save AyushyaChitransh/3b69f94e19b188ba41ee0c49a282e64c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"generationTime":"2022-11-02T07:55:55.697021698Z","metadata":{"targetMetadata":{},"clusterMetadata":{},"scanMetadata":{}},"clusterAPIServerInfo":null,"customerGUID":"","clusterName":"","clusterCloudProvider":"","reportGUID":"","jobID":"","resources":[{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"paymentservice"},"sourcePath":"examples/online-boutique/paymentservice.yaml","spec":{"selector":{"matchLabels":{"app":"paymentservice"}},"template":{"metadata":{"labels":{"app":"paymentservice"}},"spec":{"containers":[{"name":"server","image":"paymentservice","ports":[{"containerPort":50051}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/paymentservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"recommendationservice"},"sourcePath":"examples/online-boutique/recommendationservice.yaml","spec":{"selector":{"matchLabels":{"app":"recommendationservice"}},"template":{"metadata":{"labels":{"app":"recommendationservice"}},"spec":{"containers":[{"name":"server","image":"recommendationservice","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"450Mi"},"requests":{"cpu":"100m","memory":"220Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/recommendationservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"}]}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml"}]}},{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"adservice"},"sourcePath":"examples/online-boutique/adservice.yaml","spec":{"selector":{"matchLabels":{"app":"adservice"}},"template":{"metadata":{"labels":{"app":"adservice"}},"spec":{"containers":[{"name":"server","image":"adservice","ports":[{"containerPort":9555}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"200m","memory":"180Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:9555"]},"initialDelaySeconds":20,"periodSeconds":15},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:9555"]},"initialDelaySeconds":20,"periodSeconds":15}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/adservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=3591976602/api=apps/v1/kubescape/Deployment/kubescape","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"kubescape"}},"template":{"metadata":{"labels":{"app":"kubescape"}},"spec":{"containers":[{"name":"kubescape","image":"quay.io/kubescape/kubescape:latest","command":["ksserver"],"ports":[{"name":"http","containerPort":8080,"protocol":"TCP"}],"env":[{"name":"KS_DEFAULT_CONFIGMAP_NAMESPACE","value":"XXXXXX","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"KS_SKIP_UPDATE_CHECK","value":"XXXXXX"},{"name":"KS_ENABLE_HOST_SCANNER","value":"XXXXXX"},{"name":"KS_DOWNLOAD_ARTIFACTS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"10m","memory":"100Mi"}},"livenessProbe":{"httpGet":{"path":"/livez","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"readinessProbe":{"httpGet":{"path":"/readyz","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"imagePullPolicy":"Always"}],"serviceAccountName":"kubescape-discovery"}}}},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"frontend"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"selector":{"matchLabels":{"app":"frontend"}},"template":{"metadata":{"annotations":{"sidecar.istio.io/rewriteAppHTTPProbers":"true"},"labels":{"app":"frontend"}},"spec":{"containers":[{"name":"server","image":"frontend","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"},{"name":"CURRENCY_SERVICE_ADDR","value":"XXXXXX"},{"name":"CART_SERVICE_ADDR","value":"XXXXXX"},{"name":"RECOMMENDATION_SERVICE_ADDR","value":"XXXXXX"},{"name":"SHIPPING_SERVICE_ADDR","value":"XXXXXX"},{"name":"CHECKOUT_SERVICE_ADDR","value":"XXXXXX"},{"name":"AD_SERVICE_ADDR","value":"XXXXXX"},{"name":"ENV_PLATFORM","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"httpGet":{"path":"/_healthz","port":8080,"httpHeaders":[{"name":"Cookie","value":"shop_session-id=x-liveness-probe"}]},"initialDelaySeconds":10},"readinessProbe":{"httpGet":{"path":"/_healthz","port":8080,"httpHeaders":[{"name":"Cookie","value":"shop_session-id=x-readiness-probe"}]},"initialDelaySeconds":10}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=apps/v1/kubescape/Deployment/kubescape","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"kubescape"}},"template":{"metadata":{"labels":{"app":"kubescape"}},"spec":{"containers":[{"name":"kubescape","image":"quay.io/kubescape/kubescape:latest","command":["ksserver"],"ports":[{"name":"http","containerPort":8080,"protocol":"TCP"}],"env":[{"name":"KS_DEFAULT_CONFIGMAP_NAMESPACE","value":"XXXXXX","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"KS_SKIP_UPDATE_CHECK","value":"XXXXXX"},{"name":"KS_ENABLE_HOST_SCANNER","value":"XXXXXX"},{"name":"KS_DOWNLOAD_ARTIFACTS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"10m","memory":"100Mi"}},"livenessProbe":{"httpGet":{"path":"/livez","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"readinessProbe":{"httpGet":{"path":"/readyz","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"imagePullPolicy":"Always"}],"serviceAccountName":"kubescape-discovery"}}}},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app":"kubescape"},"name":"kubescape-discovery","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3919891740/api=/v1//ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"kubescape-discovery"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/serviceaccount.yaml"},"source":{"relativePath":"examples/helm_chart/templates/serviceaccount.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"ydissen@vmware.com","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=423865324/api=/v1//Service/productcatalogservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"productcatalogservice"},"sourcePath":"examples/online-boutique/productcatalogservice.yaml","spec":{"ports":[{"name":"grpc","port":3550,"targetPort":3550}],"selector":{"app":"productcatalogservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/productcatalogservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=4115069426/api=/v1//Service/emailservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"emailservice"},"sourcePath":"examples/online-boutique/emailservice.yaml","spec":{"ports":[{"name":"grpc","port":5000,"targetPort":8080}],"selector":{"app":"emailservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/emailservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape","object":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},"source":{"relativePath":"examples/helm_chart/templates/rolebinding.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"ydissen@vmware.com","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=4285981016/api=/v1//Service/cartservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"cartservice"},"sourcePath":"examples/online-boutique/cartservice.yaml","spec":{"ports":[{"name":"grpc","port":7070,"targetPort":7070}],"selector":{"app":"cartservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/cartservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"redis-cart"},"sourcePath":"examples/online-boutique/redis.yaml","spec":{"selector":{"matchLabels":{"app":"redis-cart"}},"template":{"metadata":{"labels":{"app":"redis-cart"}},"spec":{"containers":[{"name":"redis","image":"redis:alpine","ports":[{"containerPort":6379}],"resources":{"limits":{"cpu":"125m","memory":"256Mi"},"requests":{"cpu":"70m","memory":"200Mi"}},"volumeMounts":[{"name":"redis-data","mountPath":"/data"}],"livenessProbe":{"tcpSocket":{"port":6379},"periodSeconds":5},"readinessProbe":{"tcpSocket":{"port":6379},"periodSeconds":5}}],"volumes":[{"emptyDir":{},"name":"redis-data"}]}}}},"source":{"relativePath":"examples/online-boutique/redis.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"cartservice"},"sourcePath":"examples/online-boutique/cartservice.yaml","spec":{"selector":{"matchLabels":{"app":"cartservice"}},"template":{"metadata":{"labels":{"app":"cartservice"}},"spec":{"containers":[{"name":"server","image":"cartservice","ports":[{"containerPort":7070}],"env":[{"name":"REDIS_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"300m","memory":"128Mi"},"requests":{"cpu":"200m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7070","-rpc-timeout=5s"]},"initialDelaySeconds":15,"periodSeconds":10},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7070","-rpc-timeout=5s"]},"initialDelaySeconds":15}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/cartservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","object":{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app":"host-scanner","k8s-app":"kubescape-host-scanner"},"name":"host-scanner","namespace":"kubescape-host-scanner"},"sourcePath":"core/pkg/hostsensorutils/hostsensor.yaml","spec":{"selector":{"matchLabels":{"name":"host-scanner"}},"template":{"metadata":{"labels":{"name":"host-scanner"}},"spec":{"automountServiceAccountToken":false,"containers":[{"name":"host-sensor","image":"quay.io/kubescape/host-scanner:v1.0.32","ports":[{"name":"scanner","hostPort":7888,"containerPort":7888,"protocol":"TCP"}],"resources":{"limits":{"cpu":"100u","memory":"200Mi"},"requests":{"cpu":"1m","memory":"200Mi"}},"volumeMounts":[{"name":"host-filesystem","mountPath":"/host_fs"}],"readinessProbe":{"httpGet":{"path":"/kernelVersion","port":7888}},"securityContext":{"privileged":true,"readOnlyRootFilesystem":true,"procMount":"Unmasked"}}],"dnsPolicy":"ClusterFirstWithHostNet","hostIPC":true,"hostNetwork":true,"hostPID":true,"terminationGracePeriodSeconds":120,"tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host-filesystem"}]}}}},"source":{"relativePath":"core/pkg/hostsensorutils/hostsensor.yaml","fileType":"YAML","lastCommit":{"hash":"dc2c6f8a215e297bf65501000243cb172e1a5563","date":"2022-10-26T11:40:28+03:00","committerName":"YiscahLevySilas1","committerEmail":"80635572+YiscahLevySilas1@users.noreply.github.com","message":"update hostsensor version"}}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml"}]}},{"resourceID":"path=2451423745/api=/v1//Service/currencyservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"currencyservice"},"sourcePath":"examples/online-boutique/currencyservice.yaml","spec":{"ports":[{"name":"grpc","port":7000,"targetPort":7000}],"selector":{"app":"currencyservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/currencyservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"/kubescape/Deployment/kubescape","object":{"kind":"Deployment","name":"kubescape","namespace":"kubescape","relatedObjects":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"ClusterIP"}}}},{"resourceID":"path=3591976602/api=/v1/kubescape/Service/kubescape","object":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"ClusterIP"}},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3015304832/api=/v1//Service/shippingservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"shippingservice"},"sourcePath":"examples/online-boutique/shippingservice.yaml","spec":{"ports":[{"name":"grpc","port":50051,"targetPort":50051}],"selector":{"app":"shippingservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/shippingservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=1161725811/api=/v1//Service/adservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"adservice"},"sourcePath":"examples/online-boutique/adservice.yaml","spec":{"ports":[{"name":"grpc","port":9555,"targetPort":9555}],"selector":{"app":"adservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/adservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"shippingservice"},"sourcePath":"examples/online-boutique/shippingservice.yaml","spec":{"selector":{"matchLabels":{"app":"shippingservice"}},"template":{"metadata":{"labels":{"app":"shippingservice"}},"spec":{"containers":[{"name":"server","image":"shippingservice","ports":[{"containerPort":50051}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]},"periodSeconds":5}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/shippingservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=/v1/kubescape/Service/kubescape","object":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"NodePort"}},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=1881121400/api=/v1//Service/paymentservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"paymentservice"},"sourcePath":"examples/online-boutique/paymentservice.yaml","spec":{"ports":[{"name":"grpc","port":50051,"targetPort":50051}],"selector":{"app":"paymentservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/paymentservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape","object":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/role.yaml"},"source":{"relativePath":"examples/helm_chart/templates/role.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"ydissen@vmware.com","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"emailservice"},"sourcePath":"examples/online-boutique/emailservice.yaml","spec":{"selector":{"matchLabels":{"app":"emailservice"}},"template":{"metadata":{"labels":{"app":"emailservice"}},"spec":{"containers":[{"name":"server","image":"emailservice","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"DISABLE_PROFILER","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/emailservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"productcatalogservice"},"sourcePath":"examples/online-boutique/productcatalogservice.yaml","spec":{"selector":{"matchLabels":{"app":"productcatalogservice"}},"template":{"metadata":{"labels":{"app":"productcatalogservice"}},"spec":{"containers":[{"name":"server","image":"productcatalogservice","ports":[{"containerPort":3550}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:3550"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:3550"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/productcatalogservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"}]}},{"resourceID":"path=3591976602/api=/v1//Namespace/kubescape","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape"},"name":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"loadgenerator"},"sourcePath":"examples/online-boutique/loadgenerator.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"loadgenerator"}},"template":{"metadata":{"annotations":{"sidecar.istio.io/rewriteAppHTTPProbers":"true"},"labels":{"app":"loadgenerator"}},"spec":{"containers":[{"name":"main","image":"loadgenerator","env":[{"name":"FRONTEND_ADDR","value":"XXXXXX"},{"name":"USERS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"300m","memory":"256Mi"}}}],"restartPolicy":"Always","serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/loadgenerator.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"checkoutservice"},"sourcePath":"examples/online-boutique/checkoutservice.yaml","spec":{"selector":{"matchLabels":{"app":"checkoutservice"}},"template":{"metadata":{"labels":{"app":"checkoutservice"}},"spec":{"containers":[{"name":"server","image":"checkoutservice","ports":[{"containerPort":5050}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"},{"name":"SHIPPING_SERVICE_ADDR","value":"XXXXXX"},{"name":"PAYMENT_SERVICE_ADDR","value":"XXXXXX"},{"name":"EMAIL_SERVICE_ADDR","value":"XXXXXX"},{"name":"CURRENCY_SERVICE_ADDR","value":"XXXXXX"},{"name":"CART_SERVICE_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:5050"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:5050"]}}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/checkoutservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=4203826079/api=/v1//Namespace/kubescape-host-scanner","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape-host-scanner","k8s-app":"kubescape-host-scanner","kubernetes.io/metadata.name":"kubescape-host-scanner","tier":"kubescape-host-scanner-control-plane"},"name":"kubescape-host-scanner"},"sourcePath":"core/pkg/hostsensorutils/hostsensor.yaml"},"source":{"relativePath":"core/pkg/hostsensorutils/hostsensor.yaml","fileType":"YAML","lastCommit":{"hash":"dc2c6f8a215e297bf65501000243cb172e1a5563","date":"2022-10-26T11:40:28+03:00","committerName":"YiscahLevySilas1","committerEmail":"80635572+YiscahLevySilas1@users.noreply.github.com","message":"update hostsensor version"}}},{"resourceID":"path=645840794/api=/v1//Service/checkoutservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"checkoutservice"},"sourcePath":"examples/online-boutique/checkoutservice.yaml","spec":{"ports":[{"name":"grpc","port":5050,"targetPort":5050}],"selector":{"app":"checkoutservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/checkoutservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=2924266659/api=/v1//Service/frontend-external","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"frontend-external"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"ports":[{"name":"http","port":80,"targetPort":8080}],"selector":{"app":"frontend"},"type":"LoadBalancer"}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=2924266659/api=/v1//Service/frontend","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"frontend"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"ports":[{"name":"http","port":80,"targetPort":8080}],"selector":{"app":"frontend"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"currencyservice"},"sourcePath":"examples/online-boutique/currencyservice.yaml","spec":{"selector":{"matchLabels":{"app":"currencyservice"}},"template":{"metadata":{"labels":{"app":"currencyservice"}},"spec":{"containers":[{"name":"server","image":"currencyservice","ports":[{"name":"grpc","containerPort":7000}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7000"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7000"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/currencyservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"}]}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"}]}},{"resourceID":"path=1966984206/api=/v1//Service/redis-cart","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"redis-cart"},"sourcePath":"examples/online-boutique/redis.yaml","spec":{"ports":[{"name":"redis","port":6379,"targetPort":6379}],"selector":{"app":"redis-cart"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/redis.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=/v1//Namespace/kubescape","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape"},"name":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app":"kubescape"},"name":"kubescape-discovery","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"dwertent@armosec.io","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=2686782197/api=/v1//Service/recommendationservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"recommendationservice"},"sourcePath":"examples/online-boutique/recommendationservice.yaml","spec":{"ports":[{"name":"grpc","port":8080,"targetPort":8080}],"selector":{"app":"recommendationservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/recommendationservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"dwertent@cyberarmor.io","message":"support yaml input\n"}}}],"attributes":null,"results":[{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=3591976602/api=apps/v1/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"passed","controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}]},{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=1644445903/api=apps/v1/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"passed","controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=3919891740/api=/v1//ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=423865324/api=/v1//Service/productcatalogservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4115069426/api=/v1//Service/emailservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4285981016/api=/v1//Service/cartservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"passed"}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].volumeMounts[0].readOnly","value":"true"}}]}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"failed","paths":[{"failedPath":"spec.template.spec.hostIPC","fixPath":{"path":"","value":""}},{"failedPath":"spec.template.spec.hostPID","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].livenessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].securityContext.privileged","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].securityContext.privileged","fixPath":{"path":"","value":""}}]},{"name":"immutable-container-filesystem","status":"passed"},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"failed","paths":[{"failedPath":"spec.template.spec.hostNetwork","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].ports[0].hostPort","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"passed"}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].volumeMounts[0].readOnly","value":"true"}}]}]}],"prioritizedResource":{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":88,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0041","category":"Impact - service access","tags":["security","compliance"]}],"score":7.700000000000001,"severity":3}],"score":5903.7,"severity":3}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=2451423745/api=/v1//Service/currencyservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0042","name":"SSH server running inside container","rules":[{"name":"rule-can-ssh-to-pod-v1","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1/kubescape/Service/kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=3015304832/api=/v1//Service/shippingservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1161725811/api=/v1//Service/adservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=1644445903/api=/v1/kubescape/Service/kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=1881121400/api=/v1//Service/paymentservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1//Namespace/kubescape","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]}]},{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].livenessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].readinessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4203826079/api=/v1//Namespace/kubescape-host-scanner","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"failed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"failed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed"}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed"}]}]},{"resourceID":"path=645840794/api=/v1//Service/checkoutservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2924266659/api=/v1//Service/frontend-external","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2924266659/api=/v1//Service/frontend","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=1966984206/api=/v1//Service/redis-cart","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1644445903/api=/v1//Namespace/kubescape","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]}]},{"resourceID":"path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=2686782197/api=/v1//Service/recommendationservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]}],"summaryDetails":{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0088":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0088","name":"RBAC enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0089":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0089","name":"CVE-2022-3172-aggregated-API-server-redirect","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.1","name":"Ensure that the API server pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.10","name":"Ensure that the Container Network Interface file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.11","name":"Ensure that the etcd data directory permissions are set to 700 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.12","name":"Ensure that the etcd data directory ownership is set to etcd:etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.13","name":"Ensure that the admin.conf file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.14","name":"Ensure that the admin.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.15","name":"Ensure that the scheduler.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.16","name":"Ensure that the scheduler.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.17","name":"Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.18","name":"Ensure that the controller-manager.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.19","name":"Ensure that the Kubernetes PKI directory and file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.2","name":"Ensure that the API server pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.20","name":"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.21","name":"Ensure that the Kubernetes PKI key file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.3","name":"Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.4","name":"Ensure that the controller manager pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.5","name":"Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.6","name":"Ensure that the scheduler pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.7","name":"Ensure that the etcd pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.8","name":"Ensure that the etcd pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.9","name":"Ensure that the Container Network Interface file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.1","name":"Ensure that the API Server --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.10","name":"Ensure that the admission control plugin AlwaysAdmit is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.11","name":"Ensure that the admission control plugin AlwaysPullImages is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.12","name":"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.13","name":"Ensure that the admission control plugin ServiceAccount is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.14","name":"Ensure that the admission control plugin NamespaceLifecycle is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.15","name":"Ensure that the admission control plugin NodeRestriction is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.16","name":"Ensure that the API Server --secure-port argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.17","name":"Ensure that the API Server --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.18","name":"Ensure that the API Server --audit-log-path argument is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.19","name":"Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.2","name":"Ensure that the API Server --token-auth-file parameter is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.20","name":"Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.21","name":"Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.22":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.22","name":"Ensure that the API Server --request-timeout argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.23":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.23","name":"Ensure that the API Server --service-account-lookup argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.24":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.24","name":"Ensure that the API Server --service-account-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.25":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.25","name":"Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.26":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.26","name":"Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.27":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.27","name":"Ensure that the API Server --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.28":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.28","name":"Ensure that the API Server --etcd-cafile argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.29":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.29","name":"Ensure that the API Server --encryption-provider-config argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.3","name":"Ensure that the API Server --DenyServiceExternalIPs is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.30":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.30","name":"Ensure that encryption providers are appropriately configured","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.31":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.31","name":"Ensure that the API Server only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.4","name":"Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.5","name":"Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.6","name":"Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.7","name":"Ensure that the API Server --authorization-mode argument includes Node","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.8","name":"Ensure that the API Server --authorization-mode argument includes RBAC","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.9","name":"Ensure that the admission control plugin EventRateLimit is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.1","name":"Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.2","name":"Ensure that the Controller Manager --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.3.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.3","name":"Ensure that the Controller Manager --use-service-account-credentials argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.4","name":"Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.5","name":"Ensure that the Controller Manager --root-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.3.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.6","name":"Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.7","name":"Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.4.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.1","name":"Ensure that the Scheduler --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.4.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.2","name":"Ensure that the Scheduler --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.1","name":"Ensure that the --cert-file and --key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.2","name":"Ensure that the --client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.3","name":"Ensure that the --auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.4","name":"Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.5","name":"Ensure that the --peer-client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.6","name":"Ensure that the --peer-auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.7","name":"Ensure that a unique Certificate Authority is used for etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-4.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.1","name":"Ensure that the kubelet service file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.10","name":"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.2","name":"Ensure that the kubelet service file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.3","name":"If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.4","name":"If proxy kubeconfig file exists ensure ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.5","name":"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.6","name":"Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.7","name":"Ensure that the certificate authorities file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.8","name":"Ensure that the client certificate authorities file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.9","name":"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.1","name":"Ensure that the --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.10","name":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.11","name":"Ensure that the --rotate-certificates argument is not set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.12","name":"Verify that the RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.13","name":"Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-4.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.2","name":"Ensure that the --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.3","name":"Ensure that the --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.4","name":"Verify that the --read-only-port argument is set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-4.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.5","name":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.6","name":"Ensure that the --protect-kernel-defaults argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-4.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.7","name":"Ensure that the --make-iptables-util-chains argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.8","name":"Ensure that the --hostname-override argument is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.9","name":"Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-5.1.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":5,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-5.1.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.2","name":"Minimize access to secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":6},"CIS-5.1.3":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-5.1.4":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.4","name":"Minimize access to create pods","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-5.1.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":5},"CIS-5.1.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":5},"CIS-5.1.8":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-5.2.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.10":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.11":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":7},"CIS-5.2.12":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.13":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":8},"CIS-5.2.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.7":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.8":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.9":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.3.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.4.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-5.7.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.7.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"CIS-5.7.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":8},"CIS-5.7.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.4","name":"The default namespace should not be used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":7,"failedResources":27,"excludedResources":0},"score":79.411766,"scoreFactor":4}},"status":"failed","frameworks":[{"controls":{"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2}},"name":"DevOpsBest","status":"failed","version":"","ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":16.747967},{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0089":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0089","name":"CVE-2022-3172-aggregated-API-server-redirect","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3}},"name":"ArmoBest","status":"failed","version":"","ResourceCounters":{"passedResources":7,"failedResources":16,"excludedResources":4},"score":29.317932},{"controls":{"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9}},"name":"MITRE","status":"failed","version":"","ResourceCounters":{"passedResources":15,"failedResources":8,"excludedResources":2},"score":10.858586},{"controls":{"CIS-1.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.1","name":"Ensure that the API server pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.10","name":"Ensure that the Container Network Interface file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.11","name":"Ensure that the etcd data directory permissions are set to 700 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.12","name":"Ensure that the etcd data directory ownership is set to etcd:etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.13","name":"Ensure that the admin.conf file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.14","name":"Ensure that the admin.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.15","name":"Ensure that the scheduler.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.16","name":"Ensure that the scheduler.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.17","name":"Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.18","name":"Ensure that the controller-manager.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.19","name":"Ensure that the Kubernetes PKI directory and file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.2","name":"Ensure that the API server pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.20","name":"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.21","name":"Ensure that the Kubernetes PKI key file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.3","name":"Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.4","name":"Ensure that the controller manager pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.5","name":"Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.6","name":"Ensure that the scheduler pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.7","name":"Ensure that the etcd pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.8","name":"Ensure that the etcd pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.9","name":"Ensure that the Container Network Interface file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.1","name":"Ensure that the API Server --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.10","name":"Ensure that the admission control plugin AlwaysAdmit is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.11","name":"Ensure that the admission control plugin AlwaysPullImages is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.12","name":"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.13","name":"Ensure that the admission control plugin ServiceAccount is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.14","name":"Ensure that the admission control plugin NamespaceLifecycle is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.15","name":"Ensure that the admission control plugin NodeRestriction is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.16","name":"Ensure that the API Server --secure-port argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.17","name":"Ensure that the API Server --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.18","name":"Ensure that the API Server --audit-log-path argument is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.19","name":"Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.2","name":"Ensure that the API Server --token-auth-file parameter is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.20","name":"Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.21","name":"Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.22":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.22","name":"Ensure that the API Server --request-timeout argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.23":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.23","name":"Ensure that the API Server --service-account-lookup argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.24":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.24","name":"Ensure that the API Server --service-account-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.25":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.25","name":"Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.26":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.26","name":"Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.27":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.27","name":"Ensure that the API Server --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.28":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.28","name":"Ensure that the API Server --etcd-cafile argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.29":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.29","name":"Ensure that the API Server --encryption-provider-config argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.3","name":"Ensure that the API Server --DenyServiceExternalIPs is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.30":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.30","name":"Ensure that encryption providers are appropriately configured","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.31":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.31","name":"Ensure that the API Server only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.4","name":"Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.5","name":"Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.6","name":"Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.7","name":"Ensure that the API Server --authorization-mode argument includes Node","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.8","name":"Ensure that the API Server --authorization-mode argument includes RBAC","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.9","name":"Ensure that the admission control plugin EventRateLimit is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.1","name":"Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.2","name":"Ensure that the Controller Manager --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.3.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.3","name":"Ensure that the Controller Manager --use-service-account-credentials argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.4","name":"Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.5","name":"Ensure that the Controller Manager --root-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.3.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.6","name":"Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.7","name":"Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.4.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.1","name":"Ensure that the Scheduler --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.4.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.2","name":"Ensure that the Scheduler --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.1","name":"Ensure that the --cert-file and --key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.2","name":"Ensure that the --client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.3","name":"Ensure that the --auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.4","name":"Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.5","name":"Ensure that the --peer-client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.6","name":"Ensure that the --peer-auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.7","name":"Ensure that a unique Certificate Authority is used for etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-4.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.1","name":"Ensure that the kubelet service file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.10","name":"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.2","name":"Ensure that the kubelet service file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.3","name":"If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.4","name":"If proxy kubeconfig file exists ensure ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.5","name":"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.6","name":"Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.7","name":"Ensure that the certificate authorities file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.8","name":"Ensure that the client certificate authorities file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.9","name":"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.1","name":"Ensure that the --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.10","name":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.11","name":"Ensure that the --rotate-certificates argument is not set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.12","name":"Verify that the RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.13","name":"Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-4.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.2","name":"Ensure that the --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.3","name":"Ensure that the --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.4","name":"Verify that the --read-only-port argument is set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-4.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.5","name":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.6","name":"Ensure that the --protect-kernel-defaults argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-4.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.7","name":"Ensure that the --make-iptables-util-chains argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.8","name":"Ensure that the --hostname-override argument is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.9","name":"Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-5.1.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":5,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-5.1.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.2","name":"Minimize access to secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":6},"CIS-5.1.3":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-5.1.4":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.4","name":"Minimize access to create pods","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-5.1.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":5},"CIS-5.1.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":5},"CIS-5.1.8":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-5.2.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.10":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.11":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":7},"CIS-5.2.12":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.13":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":8},"CIS-5.2.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.7":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.8":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.9":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.3.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.4.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-5.7.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.7.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"CIS-5.7.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":8},"CIS-5.7.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.4","name":"The default namespace should not be used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":7,"failedResources":27,"excludedResources":0},"score":79.411766,"scoreFactor":4}},"name":"CIS","status":"failed","version":"","ResourceCounters":{"passedResources":2,"failedResources":37,"excludedResources":4},"score":43.612335},{"controls":{"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9}},"name":"NSA","status":"failed","version":"","ResourceCounters":{"passedResources":7,"failedResources":16,"excludedResources":4},"score":26.9876},{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0088":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0088","name":"RBAC enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7}},"name":"AllControls","status":"failed","version":"","ResourceCounters":{"passedResources":2,"failedResources":22,"excludedResources":4},"score":23.911491}],"severityCounters":{"criticalSeverity":0,"highSeverity":26,"mediumSeverity":151,"lowSeverity":52},"ResourceCounters":{"passedResources":3,"failedResources":37,"excludedResources":4},"score":28.733154},"paginationInfo":{"chunkNumber":0,"isLastChunk":false}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment