Cluster Overview: https://10.43.0.1:443

A little stormy
Grade: D
Score: 66%

Score is the percentage of passing checks. Warnings get half the weight of dangerous checks.

  • 930 passing checks
  • 0 warning checks
  • 475 dangerous checks
Kubernetes Version: 1.35
Nodes: 1
Namespaces: 9
Controllers: 30
Pods: 0

Results by Category

EfficiencyScore: 23%

Configuring resource requests and limits for workloads running in Kubernetes helps ensure that every container will have access to all the resources it needs. These are also a crucial part of cluster autoscaling logic, as new nodes are only spun up when there is insufficient capacity on existing infrastructure for new pod(s). By default, Polaris validates that resource requests and limits are set, it also includes optional functionality to ensure these requests and limits fall within specified ranges. Refer to the Polaris documentation about Efficiency for more information.

ReliabilityScore: 41%

Kubernetes is built to reliabily run highly available applications. Polaris includes a number of checks to ensure that you are maximizing the reliability potential of Kubernetes. Refer to the Polaris documentation about Reliability for more information.

SecurityScore: 68%

Kubernetes provides a great deal of configurability when it comes to the security of your workloads. A key principle here involves limiting the level of access any individual workload has. Polaris has validations for a number of best practices, mostly focused on ensuring that unnecessary access has not been granted to an application workload. Refer to the Polaris documentation about Security for more information.

Filter by Namespace

Cluster Resources

ClusterRole: admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: argocd-application-controller

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: argocd-server

Spec:

  • The ClusterRole allows Pods/exec or pods/attach
ClusterRole: cert-manager-cainjector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-cluster-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificates

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-challenges

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-issuers

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-controller-orders

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: cluster-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: clustercidrs-node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: k3s-cloud-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: local-path-provisioner-role

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: polaris

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: secrets-unsealer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-edit

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregate-to-view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:aggregated-metrics-reader

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:auth-delegator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:basic-user

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:nodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:kubelet-serving-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:certificates.k8s.io:legacy-unknown-approver

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:attachdetach-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:certificate-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:cronjob-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:daemon-set-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:deployment-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:disruption-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpoint-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslice-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:expand-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:generic-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:job-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:namespace-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:node-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:persistent-volume-binder

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pod-garbage-collector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pv-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:pvc-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replicaset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:replication-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resource-claim-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:resourcequota-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:route-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:selinux-warning-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-account-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-cidrs-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:service-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:statefulset-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:ttl-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:controller:volumeattributesclass-protection-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:coredns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:heapster

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:k3s-controller

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-aggregator

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-controller-manager

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-dns

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kube-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:kubelet-api-admin

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:metrics-server

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:monitoring

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-bootstrapper

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-problem-detector

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:node-proxier

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:persistent-volume-provisioner

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:public-info-viewer

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:service-account-issuer-discovery

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: system:volume-scheduler

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: traefik-kube-system

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRole: view

Spec:

  • The ClusterRole does not allow pods/exec or pods/attach
ClusterRoleBinding: argocd-application-controller

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: argocd-server

Spec:

  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: cert-manager-cainjector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-approve:cert-manager-io

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificates

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-certificatesigningrequests

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-challenges

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-clusterissuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-ingress-shim

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-issuers

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-controller-orders

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cert-manager-webhook:subjectaccessreviews

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: cluster-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: clustercidrs-node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: helm-kube-system-traefik

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: helm-kube-system-traefik-crd

Spec:

  • The ClusterRoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
ClusterRoleBinding: k3s-cloud-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: k3s-cloud-controller-manager-auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: kube-apiserver-kubelet-admin

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: local-path-provisioner-bind

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: metrics-server:system:auth-delegator

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: polaris

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: polaris-view

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: sealed-secrets-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:basic-user

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:attachdetach-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:certificate-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:clusterrole-aggregation-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:cronjob-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:daemon-set-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:deployment-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:disruption-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpoint-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslice-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:endpointslicemirroring-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ephemeral-volume-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:expand-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:generic-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:horizontal-pod-autoscaler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:job-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:legacy-service-account-token-cleaner

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:namespace-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:node-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:persistent-volume-binder

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pod-garbage-collector

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:pv-protection-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:pvc-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replicaset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:replication-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:controller:resource-claim-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:resourcequota-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:root-ca-cert-publisher

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:route-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:selinux-warning-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-account-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-cidrs-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:service-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:statefulset-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-after-finished-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:ttl-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:validatingadmissionpolicy-status-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:controller:volumeattributesclass-protection-controller

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:coredns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:k3s-controller

Spec:

  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ClusterRoleBinding: system:kube-controller-manager

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-dns

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:kube-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:metrics-server

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:monitoring

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:node-proxier

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:public-info-viewer

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:service-account-issuer-discovery

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: system:volume-scheduler

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
ClusterRoleBinding: traefik-kube-system

Spec:

  • The ClusterRoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach

Namespace: argocd

ConfigMap: argocd-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-cmd-params-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-gpg-keys-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-image-updater-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-image-updater-ssh-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-rbac-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-redis-health-configmap

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-ssh-known-hosts-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: argocd-tls-certs-cm

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: argocd-applicationset-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Privileged access to the host check is valid

Container applicationset-controller:

  • Readiness probe should be configured
  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Liveness probe should be configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Host port is not configured
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Privilege escalation not allowed
Deployment: argocd-redis

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container redis:

  • Readiness probe should be configured
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Memory requests should be set
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Image tag is specified
  • Not running as privileged
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
Deployment: argocd-repo-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container copyutil:

  • Image pull policy should be "Always"
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Privilege escalation not allowed
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Host port is not configured

Container repo-server:

  • Memory limits should be set
  • CPU limits should be set
  • Image pull policy should be "Always"
  • CPU requests are set
  • Host port is not configured
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Liveness probe is configured
  • Readiness probe is configured
Deployment: argocd-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured

Container server:

  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Not running as privileged
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Readiness probe is configured
Deployment: image-updater-argocd-image-updater

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container argocd-image-updater:

  • Memory requests should be set
  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Readiness probe is configured
  • Image pull policy is "Always"
  • Not running as privileged
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Filesystem is read only
  • Image tag is specified
  • Container does not have any dangerous capabilities
Role: argocd-application-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-applicationset-controller

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-redis-secret-init

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: argocd-repo-server

Spec:

  • The Role allows Pods/exec or pods/attach
Role: argocd-server

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: image-updater-argocd-image-updater

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: argocd-application-controller

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: argocd-applicationset-controller

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-redis-secret-init

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: argocd-repo-server

Spec:

  • The RoleBinding references a Role with wildcard permissions
  • The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: argocd-server

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: image-updater-argocd-image-updater

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: argocd-application-controller

Spec: no checks applied

ServiceAccount: argocd-applicationset-controller

Spec: no checks applied

ServiceAccount: argocd-redis-secret-init

Spec: no checks applied

ServiceAccount: argocd-repo-server

Spec: no checks applied

ServiceAccount: argocd-server

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: image-updater-argocd-image-updater

Spec: no checks applied

StatefulSet: argocd-application-controller

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container application-controller:

  • CPU limits should be set
  • Memory limits should be set
  • Image pull policy should be "Always"
  • Liveness probe should be configured
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • CPU requests are set
  • Privilege escalation not allowed
  • Is not allowed to run as root

Namespace: cert-manager

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cert-manager

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured
  • Label app.kubernetes.io/instance matches metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured

Container cert-manager-controller:

  • Readiness probe should be configured
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Memory limits should be set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Filesystem is read only
  • Privilege escalation not allowed
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Liveness probe is configured
Deployment: cert-manager-cainjector

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • HostPath volumes are not configured

Container cert-manager-cainjector:

  • CPU limits should be set
  • Memory limits should be set
  • CPU requests should be set
  • Readiness probe should be configured
  • Liveness probe should be configured
  • Memory requests should be set
  • Image pull policy should be "Always"
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Image tag is specified
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Filesystem is read only
  • Is not allowed to run as root
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
Deployment: cert-manager-webhook

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container cert-manager-webhook:

  • Memory limits should be set
  • Memory requests should be set
  • CPU requests should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Filesystem is read only
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Readiness probe is configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Is not allowed to run as root
  • Image tag is specified
Role: cert-manager-tokenrequest

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager-webhook:dynamic-serving

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-tokenrequest

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: cert-manager-webhook:dynamic-serving

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
ServiceAccount: cert-manager

Spec: no checks applied

ServiceAccount: cert-manager-cainjector

Spec: no checks applied

ServiceAccount: cert-manager-webhook

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

Namespace: default

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: kube-node-lease

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ServiceAccount: default

Spec: no checks applied

Namespace: kube-public

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: default

Spec: no checks applied

Namespace: kube-system

ConfigMap: chart-content-traefik

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: chart-content-traefik-crd

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: cluster-dns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: coredns

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: extension-apiserver-authentication

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-apiserver-legacy-service-account-token-tracking

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: local-path-config

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
DaemonSet: svclb-traefik-05a505e1

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will not be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required

Container lb-tcp-80:

  • Liveness probe should be configured
  • Container should not have dangerous capabilities
  • Host port should not be configured
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • CPU limits should be set
  • Memory limits should be set
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Not running as privileged

Container lb-tcp-443:

  • CPU limits should be set
  • Container should not have dangerous capabilities
  • Privilege escalation should not be allowed
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory limits should be set
  • CPU requests should be set
  • Host port should not be configured
  • Container should not have insecure capabilities
  • Memory requests should be set
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Not running as privileged
Deployment: coredns

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • HostPath volumes are not configured
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • Privileged access to the host check is valid
  • Pod has a valid topology spread constraint

Container coredns:

  • Image pull policy should be "Always"
  • CPU limits should be set
  • Should not be allowed to run as root
  • Container does not have any insecure capabilities
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Readiness probe is configured
  • Memory requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU requests are set
  • Memory limits are set
  • Filesystem is read only
  • Image tag is specified
  • Host port is not configured
Deployment: local-path-provisioner

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured

Container local-path-provisioner:

  • CPU limits should be set
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Memory limits should be set
  • Filesystem should be read only
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Privilege escalation should not be allowed
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: metrics-server

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host network is not configured

Container metrics-server:

  • Memory limits should be set
  • CPU limits should be set
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Readiness probe is configured
  • CPU requests are set
  • Not running as privileged
  • Is not allowed to run as root
  • Image tag is specified
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Liveness probe is configured
  • Memory requests are set
  • Privilege escalation not allowed
Deployment: sealed-secrets-controller

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container controller:

  • Privilege escalation should not be allowed
  • Memory limits should be set
  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Is not allowed to run as root
  • Container does not have any insecure capabilities
  • Liveness probe is configured
  • Readiness probe is configured
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • Image tag is specified
Deployment: traefik

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured

Container traefik:

  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Host port is not configured
  • Container does not have any insecure capabilities
  • Is not allowed to run as root
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Container does not have any dangerous capabilities
  • Liveness probe is configured
  • Privilege escalation not allowed
  • Image tag is specified
  • Filesystem is read only
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
Job: helm-install-traefik

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Priority class has been set
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured

Container helm:

  • Image pull policy should be "Always"
  • CPU requests are set
  • Host port is not configured
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Filesystem is read only
  • The container does not set potentially sensitive environment variables
  • Is not allowed to run as root
  • CPU limits are set
  • Container does not have any dangerous capabilities
  • Container does not have any insecure capabilities
  • Memory limits are set
  • Image tag is specified
  • Memory requests are set
  • Privilege escalation not allowed
  • Not running as privileged
Job: helm-install-traefik-crd

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured
  • Priority class has been set
  • Host IPC is not configured

Container helm:

  • Image pull policy should be "Always"
  • Memory limits are set
  • Is not allowed to run as root
  • CPU limits are set
  • CPU requests are set
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Memory requests are set
  • Image tag is specified
  • Filesystem is read only
Role: cert-manager-cainjector:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: cert-manager:leaderelection

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: extension-apiserver-authentication-reader

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: sealed-secrets-controller-key-admin

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: sealed-secrets-controller-service-proxier

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-controller-manager

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system::leader-locking-kube-scheduler

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:bootstrap-signer

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:cloud-provider

Spec:

  • The Role does not allow pods/exec or pods/attach
Role: system:controller:token-cleaner

Spec:

  • The Role does not allow pods/exec or pods/attach
RoleBinding: cert-manager-cainjector:leaderelection

Spec:

  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
RoleBinding: cert-manager:leaderelection

Spec:

  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
RoleBinding: k3s-cloud-controller-manager-authentication-reader

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: metrics-server-auth-reader

Spec:

  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
RoleBinding: sealed-secrets-controller-key-admin

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: sealed-secrets-controller-service-proxier

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::extension-apiserver-authentication-reader

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-controller-manager

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system::leader-locking-kube-scheduler

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:bootstrap-signer

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:cloud-provider

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
RoleBinding: system:controller:token-cleaner

Spec:

  • The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
  • The RoleBinding does not reference a Role with wildcard permissions
  • The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
  • The RoleBinding does not reference a Role allowing Pod exec or attach
ServiceAccount: attachdetach-controller

Spec: no checks applied

ServiceAccount: certificate-controller

Spec: no checks applied

ServiceAccount: clusterrole-aggregation-controller

Spec: no checks applied

ServiceAccount: coredns

Spec: no checks applied

ServiceAccount: cronjob-controller

Spec: no checks applied

ServiceAccount: daemon-set-controller

Spec: no checks applied

ServiceAccount: default

Spec: no checks applied

ServiceAccount: deployment-controller

Spec: no checks applied

ServiceAccount: disruption-controller

Spec: no checks applied

ServiceAccount: endpoint-controller

Spec: no checks applied

ServiceAccount: endpointslice-controller

Spec: no checks applied

ServiceAccount: endpointslicemirroring-controller

Spec: no checks applied

ServiceAccount: ephemeral-volume-controller

Spec: no checks applied

ServiceAccount: expand-controller

Spec: no checks applied

ServiceAccount: generic-garbage-collector

Spec: no checks applied

ServiceAccount: helm-traefik

Spec: no checks applied

ServiceAccount: helm-traefik-crd

Spec: no checks applied

ServiceAccount: horizontal-pod-autoscaler

Spec: no checks applied

ServiceAccount: job-controller

Spec: no checks applied

ServiceAccount: legacy-service-account-token-cleaner

Spec: no checks applied

ServiceAccount: local-path-provisioner-service-account

Spec: no checks applied

ServiceAccount: metrics-server

Spec: no checks applied

ServiceAccount: namespace-controller

Spec: no checks applied

ServiceAccount: node-controller

Spec: no checks applied

ServiceAccount: persistent-volume-binder

Spec: no checks applied

ServiceAccount: pod-garbage-collector

Spec: no checks applied

ServiceAccount: pv-protection-controller

Spec: no checks applied

ServiceAccount: pvc-protection-controller

Spec: no checks applied

ServiceAccount: replicaset-controller

Spec: no checks applied

ServiceAccount: replication-controller

Spec: no checks applied

ServiceAccount: resource-claim-controller

Spec: no checks applied

ServiceAccount: resourcequota-controller

Spec: no checks applied

ServiceAccount: root-ca-cert-publisher

Spec: no checks applied

ServiceAccount: sealed-secrets-controller

Spec: no checks applied

ServiceAccount: service-account-controller

Spec: no checks applied

ServiceAccount: service-cidrs-controller

Spec: no checks applied

ServiceAccount: statefulset-controller

Spec: no checks applied

ServiceAccount: svclb

Spec: no checks applied

ServiceAccount: token-cleaner

Spec: no checks applied

ServiceAccount: traefik

Spec: no checks applied

ServiceAccount: ttl-after-finished-controller

Spec: no checks applied

ServiceAccount: ttl-controller

Spec: no checks applied

ServiceAccount: validatingadmissionpolicy-status-controller

Spec: no checks applied

ServiceAccount: volumeattributesclass-protection-controller

Spec: no checks applied

Namespace: polaris

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: polaris

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: polaris-dashboard

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Pod has a valid topology spread constraint

Container dashboard:

  • Image tag is specified
  • Container does not have any dangerous capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • Liveness probe is configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any insecure capabilities
  • Memory limits are set
  • Filesystem is read only
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Readiness probe is configured
  • Not running as privileged
  • CPU requests are set
  • Is not allowed to run as root
  • CPU limits are set
  • Host port is not configured
  • Memory requests are set
Deployment: polaris-webhook

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Multiple replicas are scheduled
  • A PodDisruptionBudget is attached
  • PDB and HPA are correctly configured

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Pod has a valid topology spread constraint
  • Privileged access to the host check is valid

Container webhook:

  • CPU limits should be set
  • Memory limits should be set
  • Container does not have any dangerous capabilities
  • Privilege escalation not allowed
  • Image pull policy is "Always"
  • Is not allowed to run as root
  • Host port is not configured
  • Liveness probe is configured
  • Memory requests are set
  • Filesystem is read only
  • Readiness probe is configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any insecure capabilities
  • One of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities are used to restrict containers using unwanted privileges
  • CPU requests are set
PodDisruptionBudget: polaris-dashboard

Spec:

  • Voluntary evictions are possible
PodDisruptionBudget: polaris-webhook

Spec:

  • Voluntary evictions are possible
ServiceAccount: default

Spec: no checks applied

ServiceAccount: polaris

Spec: no checks applied

Namespace: vitrine-apps

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: cms-deployment

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Multiple replicas are scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured

Container wait-for-postgres:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified

Container cms-deployment:

  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Memory limits are set
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • CPU requests are set
  • CPU limits are set
  • Liveness probe is configured
  • Memory requests are set
  • Readiness probe is configured
  • Not running as privileged
Deployment: web-deployment

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured
  • Multiple replicas are scheduled

Pod Spec:

  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container wait-for-schema:

  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Image tag is specified
  • Container does not have any dangerous capabilities

Container web-deployment:

  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • CPU requests are set
  • Memory requests are set
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • CPU limits are set
  • Container does not have any dangerous capabilities
  • Readiness probe is configured
  • Image tag is specified
  • Memory limits are set
  • Host port is not configured
  • Liveness probe is configured
ServiceAccount: default

Spec: no checks applied

Namespace: vitrine-data

ConfigMap: kube-root-ca.crt

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: supabase-supabase-db-initdb

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: supabase-supabase-db-migrations

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: supabase-supabase-functions-main

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
ConfigMap: supabase-supabase-kong

Spec:

  • The ConfigMap does not contain potentially sensitive content in its keys and values
Deployment: supabase-supabase-auth

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • HostPath volumes are not configured

Container init-db:

  • Privilege escalation should not be allowed
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged

Container supabase-auth:

  • Should not be allowed to run as root
  • CPU limits should be set
  • Filesystem should be read only
  • Liveness probe should be configured
  • Memory requests should be set
  • Readiness probe should be configured
  • Memory limits should be set
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
Deployment: supabase-supabase-functions

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Host PID is not configured
  • Host IPC is not configured
  • HostPath volumes are not configured

Container supabase-functions:

  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • CPU requests should be set
  • Memory requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Memory limits should be set
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • The container sets potentially sensitive environment variables
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured
Deployment: supabase-supabase-kong

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid

Container supabase-kong:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Memory limits should be set
  • Memory requests should be set
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • CPU requests should be set
  • Filesystem should be read only
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Not running as privileged
Deployment: supabase-supabase-meta

Spec:

  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • PDB and HPA are correctly configured

Pod Spec:

  • Pod should be configured with a valid topology spread constraint
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • The ServiceAccount will be automounted
  • Priority class should be set
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host IPC is not configured
  • Host network is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container supabase-meta:

  • Memory limits should be set
  • Filesystem should be read only
  • CPU limits should be set
  • CPU requests should be set
  • Container should not have insecure capabilities
  • Liveness probe should be configured
  • Memory requests should be set
  • Privilege escalation should not be allowed
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • The container sets potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
  • Image tag is specified
  • Container does not have any dangerous capabilities
Deployment: supabase-supabase-realtime

Spec:

  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • Only one replica is scheduled
  • PDB and HPA are correctly configured

Pod Spec:

  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • The ServiceAccount will be automounted
  • Host network is not configured
  • HostPath volumes are not configured
  • Host IPC is not configured
  • Host PID is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container init-db:

  • Image pull policy should be "Always"
  • Filesystem should be read only
  • Should not be allowed to run as root
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified

Container supabase-realtime:

  • Liveness probe should be configured
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Should not be allowed to run as root
  • Memory requests should be set
  • Filesystem should be read only
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Memory limits should be set
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
Deployment: supabase-supabase-rest

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • Priority class should be set
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured
  • Host PID is not configured
  • The default /proc masks are set up to reduce attack surface, and should be required

Container init-db:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Container should not have insecure capabilities
  • Filesystem should be read only
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Host port is not configured

Container supabase-rest:

  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • Should not be allowed to run as root
  • CPU limits should be set
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Readiness probe should be configured
  • CPU requests should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
Deployment: supabase-supabase-storage

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Privileged access to the host check is valid
  • Host network is not configured

Container init-db:

  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Privilege escalation should not be allowed
  • Should not be allowed to run as root
  • Image pull policy should be "Always"
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged

Container supabase-storage:

  • CPU limits should be set
  • CPU requests should be set
  • Memory requests should be set
  • Privilege escalation should not be allowed
  • Readiness probe should be configured
  • Memory limits should be set
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Should not be allowed to run as root
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Image pull policy should be "Always"
  • Container does not have any dangerous capabilities
  • Image tag is specified
  • The container does not set potentially sensitive environment variables
  • Host port is not configured
  • Not running as privileged
Deployment: supabase-supabase-studio

Spec:

  • Only one replica is scheduled
  • Label app.kubernetes.io/instance must match metadata.name
  • Should have a PodDisruptionBudget
  • PDB and HPA are correctly configured

Pod Spec:

  • The ServiceAccount will be automounted
  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required
  • Host network is not configured
  • Host PID is not configured
  • HostPath volumes are not configured

Container supabase-studio:

  • Image pull policy should be "Always"
  • CPU limits should be set
  • Container should not have insecure capabilities
  • Readiness probe should be configured
  • Should not be allowed to run as root
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Memory requests should be set
  • Filesystem should be read only
  • Privilege escalation should not be allowed
  • CPU requests should be set
  • Liveness probe should be configured
  • Memory limits should be set
  • Not running as privileged
  • Container does not have any dangerous capabilities
  • Host port is not configured
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
ServiceAccount: default

Spec: no checks applied

ServiceAccount: supabase-supabase-auth

Spec: no checks applied

ServiceAccount: supabase-supabase-db

Spec: no checks applied

ServiceAccount: supabase-supabase-functions

Spec: no checks applied

ServiceAccount: supabase-supabase-kong

Spec: no checks applied

ServiceAccount: supabase-supabase-meta

Spec: no checks applied

ServiceAccount: supabase-supabase-realtime

Spec: no checks applied

ServiceAccount: supabase-supabase-rest

Spec: no checks applied

ServiceAccount: supabase-supabase-storage

Spec: no checks applied

ServiceAccount: supabase-supabase-studio

Spec: no checks applied

StatefulSet: supabase-supabase-db

Spec:

  • Label app.kubernetes.io/instance must match metadata.name

Pod Spec:

  • A NetworkPolicy should match pod labels and contain applied egress and ingress rules
  • Priority class should be set
  • The ServiceAccount will be automounted
  • Pod should be configured with a valid topology spread constraint
  • Host IPC is not configured
  • Host PID is not configured
  • HostPath volumes are not configured
  • Host network is not configured
  • Privileged access to the host check is valid
  • The default /proc masks are set up to reduce attack surface, and should be required

Container init-pgsodium:

  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • Not running as privileged
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Container does not have any dangerous capabilities
  • Host port is not configured

Container init-db:

  • Filesystem should be read only
  • Container should not have insecure capabilities
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Should not be allowed to run as root
  • The container does not set potentially sensitive environment variables
  • Container does not have any dangerous capabilities
  • Not running as privileged
  • Image tag is specified
  • Host port is not configured

Container supabase-db:

  • CPU limits should be set
  • Container should not have insecure capabilities
  • Memory requests should be set
  • CPU requests should be set
  • Readiness probe should be configured
  • Memory limits should be set
  • Filesystem should be read only
  • Privilege escalation should not be allowed
  • Image pull policy should be "Always"
  • Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
  • Liveness probe should be configured
  • Should not be allowed to run as root
  • Container does not have any dangerous capabilities
  • The container does not set potentially sensitive environment variables
  • Image tag is specified
  • Host port is not configured
  • Not running as privileged