📄️ Problem capabilities (GITA-SEC-001)
Capabilities are a Linux specific set of permissions traditionally
📄️ Image _Registry_ prohibited
Kubernetes enforces strict policies regarding which container registries are allowed in the cluster. Using images from untrusted or unverified registries can pose significant security risks, such as introducing vulnerabilities, malicious code, or unmaintained software into the environment.
📄️ Application credentials stored in configuration files (GITA-SEC-003)
Setting credentials on arbitrarily accessible locations such as
📄️ Unauthorized AppArmor profile (GITA-SEC-004)
AppArmor is a Linux kernel module developed to harden one's system
�📄️ Auto ServiceAccount token mounted (GITA-SEC-005)
Service Accounts are a Kubernetes native solution for controlling
📄️ Host namespaces not isolated (GITA-SEC-006)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ HostPath volume (GITA-SEC-007)
Kubernetes Volumes are a native solution providing persistent and shared
📄️ Not allowed hostPort (GITA-SEC-008)
Linux containers are primarily made possible by two features. Cgroups, a
📄��️ Privileged access to the Windows node (GITA-SEC-009)
On nodes running Microsoft Windows, Kubernetes provides a mechanism for
📄️ Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 (GITA-SEC-010)
Ingress is a Kubernetes native solution for routing incoming traffic to
📄️ Containers should not run with allowPrivilegeEscalation (GITA-SEC-011)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Container should not be privileged (GITA-SEC-012)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Forbidden proc mount type (GITA-SEC-013)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Read only root filesystem (GITA-SEC-014)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Container running as root (GITA-SEC-015)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Container running as root (Pod) (GITA-SEC-016)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Container running not as user (GITA-SEC-017)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Unauthorized seccomp profile (GITA-SEC-018)
Seccomp is a Linux kernel feature developed to minimize kernel exposure
📄️ Unauthorized seccomp profile (Pod) (GITA-SEC-019)
Seccomp is a Linux kernel feature developed to minimize kernel exposure
📄️ Container with not allowed SELinux options (GITA-SEC-020)
SELinux is a kernel module providing Mandatory Access Control (MAC)
📄️ Pod with not allowed SELinux options (GITA-SEC-021)
SELinux is a kernel module providing Mandatory Access Control (MAC)
📄️ SSH exposed (GITA-SEC-022)
The Secure Shell (SSH) is a protocol for secure communication across a
📄️ Problem drop capabilities (GITA-SEC-023)
Capabilities are a Linux specific set of permissions traditionally
📄️ Not allowed Volume type used (GITA-SEC-024)
Kubernetes Volumes are a native solution providing persistent and shared
📄️ Insecure sysctls (GITA-SEC-025)
Sysctl is an utility created to configure the Linux kernel at runtime,
📄️ Pod running with no user defined (GITA-SEC-026)
Linux containers are primarily made possible by two features. Cgroups, a
📄️ Blocked image registries (GITA-SEC-027)
Certain image registries or image repository paths may be explicitly blocked by policy. This prevents the use of images from sources with a history of vulnerabilities, malicious content, or that are outside the organization’s compliance standards.