--- # Source: trivy/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: name: k8s-cis-1.23 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: "0 5 * * *" reportType: "summary" compliance: id: k8s-cis-1.23 title: CIS Kubernetes Benchmarks v1.23 description: CIS Kubernetes Benchmarks platform: k8s type: cis relatedResources: - https://www.cisecurity.org/benchmark/kubernetes version: "1.23" controls: - id: 1.1.1 name: Ensure that the API server pod specification file permissions are set to 600 or more restrictive description: Ensure that the API server pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0048 commands: - id: CMD-0001 severity: HIGH - id: 1.1.2 name: Ensure that the API server pod specification file ownership is set to root:root description: Ensure that the API server pod specification file ownership is set to root:root checks: - id: AVD-KCV-0049 commands: - id: CMD-0002 severity: HIGH - id: 1.1.3 name: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive description: Ensure that the controller manager pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0050 commands: - id: CMD-0003 severity: HIGH - id: 1.1.4 name: Ensure that the controller manager pod specification file ownership is set to root:root description: Ensure that the controller manager pod specification file ownership is set to root:root checks: - id: AVD-KCV-0051 commands: - id: CMD-0004 severity: HIGH - id: 1.1.5 name: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive description: Ensure that the scheduler pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0052 commands: - id: CMD-0005 severity: HIGH - id: 1.1.6 name: Ensure that the scheduler pod specification file ownership is set to root:root description: Ensure that the scheduler pod specification file ownership is set to root:root checks: - id: AVD-KCV-0053 commands: - id: CMD-0006 severity: HIGH - id: 1.1.7 name: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive description: Ensure that the etcd pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0054 commands: - id: CMD-0007 severity: HIGH - id: 1.1.8 name: Ensure that the etcd pod specification file ownership is set to root:root description: Ensure that the etcd pod specification file ownership is set to root:root. checks: - id: AVD-KCV-0055 commands: - id: CMD-0008 severity: HIGH - id: 1.1.9 name: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive description: Ensure that the Container Network Interface files have permissions of 600 or more restrictive checks: - id: AVD-KCV-0056 commands: - id: CMD-0009 severity: HIGH - id: 1.1.10 name: Ensure that the Container Network Interface file ownership is set to root:root description: Ensure that the Container Network Interface files have ownership set to root:root checks: - id: AVD-KCV-0057 commands: - id: CMD-0010 severity: HIGH - id: 1.1.11 name: Ensure that the etcd data directory permissions are set to 700 or more restrictive description: Ensure that the etcd data directory has permissions of 700 or more restrictive checks: - id: AVD-KCV-0058 commands: - id: CMD-0011 severity: HIGH - id: 1.1.12 name: Ensure that the etcd data directory ownership is set to etcd:etcd description: Ensure that the etcd data directory ownership is set to etcd:etcd checks: - id: AVD-KCV-0059 commands: - id: CMD-0012 severity: LOW - id: 1.1.13 name: Ensure that the admin.conf file permissions are set to 600 description: Ensure that the admin.conf file has permissions of 600 checks: - id: AVD-KCV-0060 commands: - id: CMD-0013 severity: CRITICAL - id: 1.1.14 name: Ensure that the admin.conf file ownership is set to root:root description: Ensure that the admin.conf file ownership is set to root:root checks: - id: AVD-KCV-0061 commands: - id: CMD-0014 severity: CRITICAL - id: 1.1.15 name: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive description: Ensure that the scheduler.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0062 commands: - id: CMD-0015 severity: HIGH - id: 1.1.16 name: Ensure that the scheduler.conf file ownership is set to root:root description: Ensure that the scheduler.conf file ownership is set to root:root checks: - id: AVD-KCV-0063 commands: - id: CMD-0016 severity: HIGH - id: 1.1.17 name: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive description: Ensure that the controller-manager.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0064 commands: - id: CMD-0017 severity: HIGH - id: 1.1.18 name: Ensure that the controller-manager.conf file ownership is set to root:root description: Ensure that the controller-manager.conf file ownership is set to root:root. checks: - id: AVD-KCV-0065 commands: - id: CMD-0018 severity: HIGH - id: 1.1.19 name: Ensure that the Kubernetes PKI directory and file ownership is set to root:root description: Ensure that the Kubernetes PKI directory and file ownership is set to root:root checks: - id: AVD-KCV-0066 commands: - id: CMD-0019 severity: CRITICAL - id: 1.1.20 name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive description: Ensure that Kubernetes PKI certificate files have permissions of 600 or more restrictive checks: - id: AVD-KCV-0068 commands: - id: CMD-0020 severity: CRITICAL - id: 1.1.21 name: Ensure that the Kubernetes PKI key file permissions are set to 600 description: Ensure that Kubernetes PKI key files have permissions of 600 checks: - id: AVD-KCV-0067 commands: - id: CMD-0021 severity: CRITICAL - id: 1.2.1 name: Ensure that the --anonymous-auth argument is set to false description: Disable anonymous requests to the API server checks: - id: AVD-KCV-0001 severity: MEDIUM - id: 1.2.2 name: Ensure that the --token-auth-file parameter is not set description: Do not use token based authentication checks: - id: AVD-KCV-0002 severity: LOW - id: 1.2.3 name: Ensure that the --DenyServiceExternalIPs is not set description: This admission controller rejects all net-new usage of the Service field externalIPs checks: - id: AVD-KCV-0003 severity: LOW - id: 1.2.4 name: Ensure that the --kubelet-https argument is set to true description: Use https for kubelet connections checks: - id: AVD-KCV-0004 severity: LOW - id: 1.2.5 name: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate description: Enable certificate based kubelet authentication checks: - id: AVD-KCV-0005 severity: HIGH - id: 1.2.6 name: Ensure that the --kubelet-certificate-authority argument is set as appropriate description: Verify kubelets certificate before establishing connection checks: - id: AVD-KCV-0006 severity: HIGH - id: 1.2.7 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow description: Do not always authorize all requests checks: - id: AVD-KCV-0007 severity: LOW - id: 1.2.8 name: Ensure that the --authorization-mode argument includes Node description: Restrict kubelet nodes to reading only objects associated with them checks: - id: AVD-KCV-0008 severity: HIGH - id: 1.2.9 name: Ensure that the --authorization-mode argument includes RBAC description: Turn on Role Based Access Control checks: - id: AVD-KCV-0009 severity: HIGH - id: 1.2.10 name: Ensure that the admission control plugin EventRateLimit is set description: Limit the rate at which the API server accepts requests checks: - id: AVD-KCV-0010 severity: HIGH - id: 1.2.11 name: Ensure that the admission control plugin AlwaysAdmit is not set description: Do not allow all requests checks: - id: AVD-KCV-0011 severity: LOW - id: 1.2.12 name: Ensure that the admission control plugin AlwaysPullImages is set description: Always pull images checks: - id: AVD-KCV-0012 severity: MEDIUM - id: 1.2.13 name: Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used description: The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster checks: - id: AVD-KCV-0013 severity: MEDIUM - id: 1.2.14 name: Ensure that the admission control plugin ServiceAccount is set description: Automate service accounts management checks: - id: AVD-KCV-0014 severity: LOW - id: 1.2.15 name: Ensure that the admission control plugin NamespaceLifecycle is set description: Reject creating objects in a namespace that is undergoing termination checks: - id: AVD-KCV-0015 severity: LOW - id: 1.2.16 name: Ensure that the admission control plugin NodeRestriction is set description: Limit the Node and Pod objects that a kubelet could modify checks: - id: AVD-KCV-0016 severity: LOW - id: 1.2.17 name: Ensure that the --secure-port argument is not set to 0 description: Do not disable the secure port checks: - id: AVD-KCV-0017 severity: HIGH - id: 1.2.18 name: Ensure that the --profiling argument is set to false description: Disable profiling, if not needed checks: - id: AVD-KCV-0018 severity: LOW - id: 1.2.19 name: Ensure that the --audit-log-path argument is set description: Enable auditing on the Kubernetes API Server and set the desired audit log path. checks: - id: AVD-KCV-0019 severity: LOW - id: 1.2.20 name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate description: Retain the logs for at least 30 days or as appropriate checks: - id: AVD-KCV-0020 severity: LOW - id: 1.2.21 name: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate description: Retain 10 or an appropriate number of old log file checks: - id: AVD-KCV-0021 severity: LOW - id: 1.2.22 name: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate description: Rotate log files on reaching 100 MB or as appropriate checks: - id: AVD-KCV-0022 severity: LOW - id: 1.2.24 name: Ensure that the --service-account-lookup argument is set to true description: Validate service account before validating token checks: - id: AVD-KCV-0024 severity: LOW - id: 1.2.25 name: Ensure that the --service-account-key-file argument is set as appropriate description: Explicitly set a service account public key file for service accounts on the apiserver checks: - id: AVD-KCV-0025 severity: LOW - id: 1.2.26 name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate description: etcd should be configured to make use of TLS encryption for client connections checks: - id: AVD-KCV-0026 severity: LOW - id: 1.2.27 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate description: Setup TLS connection on the API server checks: - id: AVD-KCV-0027 severity: MEDIUM - id: 1.2.28 name: Ensure that the --client-ca-file argument is set appropriate description: Setup TLS connection on the API server checks: - id: AVD-KCV-0028 severity: LOW - id: 1.2.29 name: Ensure that the --etcd-cafile argument is set as appropriate description: etcd should be configured to make use of TLS encryption for client connections. checks: - id: AVD-KCV-0029 severity: LOW - id: 1.2.30 name: Ensure that the --encryption-provider-config argument is set as appropriate description: Encrypt etcd key-value store checks: - id: AVD-KCV-0030 severity: LOW - id: 1.3.1 name: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate description: Activate garbage collector on pod termination, as appropriate checks: - id: AVD-KCV-0033 severity: MEDIUM - id: 1.3.3 name: Ensure that the --use-service-account-credentials argument is set to true description: Use individual service account credentials for each controller checks: - id: AVD-KCV-0035 severity: MEDIUM - id: 1.3.4 name: Ensure that the --service-account-private-key-file argument is set as appropriate description: Explicitly set a service account private key file for service accounts on the controller manager checks: - id: AVD-KCV-0036 severity: MEDIUM - id: 1.3.5 name: Ensure that the --root-ca-file argument is set as appropriate description: Allow pods to verify the API servers serving certificate before establishing connections checks: - id: AVD-KCV-0037 severity: MEDIUM - id: 1.3.6 name: Ensure that the RotateKubeletServerCertificate argument is set to true description: Enable kubelet server certificate rotation on controller-manager checks: - id: AVD-KCV-0038 severity: MEDIUM - id: 1.3.7 name: Ensure that the --bind-address argument is set to 127.0.0.1 description: Do not bind the scheduler service to non-loopback insecure addresses checks: - id: AVD-KCV-0039 severity: LOW - id: 1.4.1 name: Ensure that the --profiling argument is set to false description: Disable profiling, if not needed checks: - id: AVD-KCV-0034 severity: MEDIUM - id: 1.4.2 name: Ensure that the --bind-address argument is set to 127.0.0.1 description: Do not bind the scheduler service to non-loopback insecure addresses checks: - id: AVD-KCV-0041 severity: CRITICAL - id: "2.1" name: Ensure that the --cert-file and --key-file arguments are set as appropriate description: Configure TLS encryption for the etcd service checks: - id: AVD-KCV-0042 severity: MEDIUM - id: "2.2" name: Ensure that the --client-cert-auth argument is set to true description: Enable client authentication on etcd service checks: - id: AVD-KCV-0043 severity: CRITICAL - id: "2.3" name: Ensure that the --auto-tls argument is not set to true description: Do not use self-signed certificates for TLS checks: - id: AVD-KCV-0044 severity: CRITICAL - id: "2.4" name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate description: etcd should be configured to make use of TLS encryption for peer connections. checks: - id: AVD-KCV-0045 severity: CRITICAL - id: "2.5" name: Ensure that the --peer-client-cert-auth argument is set to true description: etcd should be configured for peer authentication checks: - id: AVD-KCV-0046 severity: CRITICAL - id: "2.6" name: Ensure that the --peer-auto-tls argument is not set to true description: Do not use self-signed certificates for TLS checks: - id: AVD-KCV-0047 severity: HIGH - id: 3.1.1 name: Client certificate authentication should not be used for users (Manual) description: Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose severity: HIGH - id: 3.2.1 name: Ensure that a minimal audit policy is created (Manual) description: Kubernetes can audit the details of requests made to the API server. The --audit- policy-file flag must be set for this logging to be enabled. severity: HIGH - id: 3.2.2 name: Ensure that the audit policy covers key security concerns (Manual) description: Ensure that the audit policy created for the cluster covers key security concerns severity: HIGH - id: 4.1.1 name: Ensure that the kubelet service file permissions are set to 600 or more restrictive description: Ensure that the kubelet service file has permissions of 600 or more restrictive. checks: - id: AVD-KCV-0069 commands: - id: CMD-0022 severity: HIGH - id: 4.1.2 name: Ensure that the kubelet service file ownership is set to root:root description: Ensure that the kubelet service file ownership is set to root:root checks: - id: AVD-KCV-0070 commands: - id: CMD-0023 severity: HIGH - id: 4.1.3 name: If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive description: If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0071 commands: - id: CMD-0024 severity: HIGH - id: 4.1.4 name: If proxy kubeconfig file exists ensure ownership is set to root:root description: If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root checks: - id: AVD-KCV-0072 commands: - id: CMD-0025 severity: HIGH - id: 4.1.5 name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive description: Ensure that the kubelet.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0073 commands: - id: CMD-0026 severity: HIGH - id: 4.1.6 name: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root description: Ensure that the kubelet.conf file ownership is set to root:root checks: - id: AVD-KCV-0074 commands: - id: CMD-0027 severity: HIGH - id: 4.1.7 name: Ensure that the certificate authorities file permissions are set to 600 or more restrictive description: Ensure that the certificate authorities file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0075 commands: - id: CMD-0028 severity: CRITICAL - id: 4.1.8 name: Ensure that the client certificate authorities file ownership is set to root:root description: Ensure that the certificate authorities file ownership is set to root:root checks: - id: AVD-KCV-0076 commands: - id: CMD-0029 severity: CRITICAL - id: 4.1.9 name: If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive description: Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0077 commands: - id: CMD-0030 severity: HIGH - id: 4.1.10 name: If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root description: Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root checks: - id: AVD-KCV-0078 commands: - id: CMD-0031 severity: HIGH - id: 4.2.1 name: Ensure that the --anonymous-auth argument is set to false description: Disable anonymous requests to the Kubelet server checks: - id: AVD-KCV-0079 commands: - id: CMD-0032 severity: CRITICAL - id: 4.2.2 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow description: Do not allow all requests. Enable explicit authorization checks: - id: AVD-KCV-0080 commands: - id: CMD-0033 severity: CRITICAL - id: 4.2.3 name: Ensure that the --client-ca-file argument is set as appropriate description: Enable Kubelet authentication using certificates checks: - id: AVD-KCV-0081 commands: - id: CMD-0034 severity: CRITICAL - id: 4.2.4 name: Verify that the --read-only-port argument is set to 0 description: Disable the read-only port checks: - id: AVD-KCV-0082 commands: - id: CMD-0035 severity: HIGH - id: 4.2.5 name: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 description: Do not disable timeouts on streaming connections checks: - id: AVD-KCV-0085 commands: - id: CMD-0036 severity: HIGH - id: 4.2.6 name: Ensure that the --protect-kernel-defaults argument is set to true description: Protect tuned kernel parameters from overriding kubelet default kernel parameter values checks: - id: AVD-KCV-0083 commands: - id: CMD-0037 severity: HIGH - id: 4.2.7 name: Ensure that the --make-iptables-util-chains argument is set to true description: Allow Kubelet to manage iptables checks: - id: AVD-KCV-0084 commands: - id: CMD-0038 severity: HIGH - id: 4.2.8 name: Ensure that the --hostname-override argument is not set description: Do not override node hostnames checks: - id: AVD-KCV-0086 commands: - id: CMD-0039 severity: HIGH - id: 4.2.9 name: Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture description: Security relevant information should be captured. The --event-qps flag on the Kubelet can be used to limit the rate at which events are gathered checks: - id: AVD-KCV-0087 commands: - id: CMD-0040 severity: HIGH - id: 4.2.10 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate description: Setup TLS connection on the Kubelets checks: - id: AVD-KCV-0088 - id: AVD-KCV-0089 commands: - id: CMD-0041 - id: CMD-0042 severity: CRITICAL - id: 4.2.11 name: Ensure that the --rotate-certificates argument is not set to false description: Enable kubelet client certificate rotation checks: - id: AVD-KCV-0090 commands: - id: CMD-0043 severity: CRITICAL - id: 4.2.12 name: Verify that the RotateKubeletServerCertificate argument is set to true description: Enable kubelet server certificate rotation checks: - id: AVD-KCV-0091 commands: - id: CMD-0044 severity: CRITICAL - id: 4.2.13 name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers description: Ensure that the Kubelet is configured to only use strong cryptographic ciphers checks: - id: AVD-KCV-0092 commands: - id: CMD-0045 severity: CRITICAL - id: 5.1.1 name: Ensure that the cluster-admin role is only used where required description: The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed checks: - id: AVD-KSV-0111 severity: HIGH - id: 5.1.2 name: Minimize access to secrets description: The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster checks: - id: AVD-KSV-0041 severity: HIGH - id: 5.1.3 name: Minimize wildcard use in Roles and ClusterRoles description: Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items checks: - id: AVD-KSV-0044 - id: AVD-KSV-0045 - id: AVD-KSV-0046 severity: HIGH - id: 5.1.6 name: Ensure that Service Account Tokens are only mounted where necessary description: Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server checks: - id: AVD-KSV-0036 severity: HIGH - id: 5.1.8 name: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster description: Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required checks: - id: AVD-KSV-0043 severity: HIGH - id: 5.2.2 name: Minimize the admission of privileged containers description: Do not generally permit containers to be run with the securityContext.privileged flag set to true checks: - id: AVD-KSV-0017 severity: HIGH - id: 5.2.3 name: Minimize the admission of containers wishing to share the host process ID namespace description: Do not generally permit containers to be run with the hostPID flag set to true. checks: - id: AVD-KSV-0010 severity: HIGH - id: 5.2.4 name: Minimize the admission of containers wishing to share the host IPC namespace description: Do not generally permit containers to be run with the hostIPC flag set to true checks: - id: AVD-KSV-0008 severity: HIGH - id: 5.2.5 name: Minimize the admission of containers wishing to share the host network namespace description: Do not generally permit containers to be run with the hostNetwork flag set to true checks: - id: AVD-KSV-0009 severity: HIGH - id: 5.2.6 name: Minimize the admission of containers with allowPrivilegeEscalation description: Do not generally permit containers to be run with the allowPrivilegeEscalation flag set to true checks: - id: AVD-KSV-0001 severity: HIGH - id: 5.2.7 name: Minimize the admission of root containers description: Do not generally permit containers to be run as the root user checks: - id: AVD-KSV-0012 severity: MEDIUM - id: 5.2.8 name: Minimize the admission of containers with the NET_RAW capability description: Do not generally permit containers with the potentially dangerous NET_RAW capability checks: - id: AVD-KSV-0022 severity: MEDIUM - id: 5.2.9 name: Minimize the admission of containers with added capabilities description: Do not generally permit containers with capabilities assigned beyond the default set checks: - id: AVD-KSV-0004 severity: LOW - id: 5.2.10 name: Minimize the admission of containers with capabilities assigned description: Do not generally permit containers with capabilities checks: - id: AVD-KSV-0003 severity: LOW - id: 5.2.11 name: Minimize the admission of containers with capabilities assigned description: Do not generally permit containers with capabilities checks: - id: AVD-KSV-0103 severity: MEDIUM - id: 5.2.12 name: Minimize the admission of HostPath volumes description: Do not generally admit containers which make use of hostPath volumes checks: - id: AVD-KSV-0023 severity: MEDIUM - id: 5.2.13 name: Minimize the admission of containers which use HostPorts description: Do not generally permit containers which require the use of HostPorts checks: - id: AVD-KSV-0024 severity: MEDIUM - id: 5.3.1 name: Ensure that the CNI in use supports Network Policies (Manual) description: There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster severity: MEDIUM - id: 5.3.2 name: Ensure that all Namespaces have Network Policies defined description: Use network policies to isolate traffic in your cluster network checks: - id: AVD-KSV-0038 severity: MEDIUM - id: 5.4.1 name: Prefer using secrets as files over secrets as environment variables (Manual) description: Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets severity: MEDIUM - id: 5.4.2 name: Consider external secret storage (Manual) description: Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs severity: MEDIUM - id: 5.5.1 name: Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) description: Configure Image Provenance for your deployment severity: MEDIUM - id: 5.7.1 name: Create administrative boundaries between resources using namespaces (Manual) description: Use namespaces to isolate your Kubernetes objects severity: MEDIUM - id: 5.7.2 name: Ensure that the seccomp profile is set to docker/default in your pod definitions description: Enable docker/default seccomp profile in your pod definitions checks: - id: AVD-KSV-0104 severity: MEDIUM - id: 5.7.3 name: Apply Security Context to Your Pods and Containers description: Apply Security Context to Your Pods and Containers checks: - id: AVD-KSV-0021 - id: AVD-KSV-0020 - id: AVD-KSV-0005 - id: AVD-KSV-0025 - id: AVD-KSV-0104 - id: AVD-KSV-0030 severity: HIGH - id: 5.7.4 name: The default namespace should not be used description: Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them checks: - id: AVD-KSV-0110 severity: MEDIUM