alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity
Files
bfe0e18539a6210544f55d2a519b00ea2efe8833
infrastructure/clusters/cl01tl/manifests/trivy/ClusterComplianceReport-k8s-nsa-1.0

187 lines
6.7 KiB
Plaintext
Raw Blame History

---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: k8s-nsa-1.0
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: 0.29.0
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 5 * * *"
reportType: "summary"
compliance:
id: k8s-nsa-1.0
platform: k8s
type: nsa
title: National Security Agency - Kubernetes Hardening Guidance v1.0
description: National Security Agency - Kubernetes Hardening Guidance
relatedResources:
- https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
version: "1.0"
controls:
- name: Non-root containers
description: Check that container is not running as root
id: "1.0"
checks:
- id: AVD-KSV-0012
severity: MEDIUM
- name: Immutable container file systems
description: Check that container root file system is immutable
id: "1.1"
checks:
- id: AVD-KSV-0014
severity: LOW
- name: Preventing privileged containers
description: Controls whether Pods can run privileged containers
id: "1.2"
checks:
- id: AVD-KSV-0017
severity: HIGH
- name: Share containers process namespaces
description: Controls whether containers can share process namespaces
id: "1.3"
checks:
- id: AVD-KSV-0008
severity: HIGH
- name: Share host process namespaces
description: Controls whether share host process namespaces
id: "1.4"
checks:
- id: AVD-KSV-0009
severity: HIGH
- name: Use the host network
description: Controls whether containers can use the host network
id: "1.5"
checks:
- id: AVD-KSV-0010
severity: HIGH
- name: Run with root privileges or with root group membership
description: Controls whether container applications can run with root privileges or with root group membership
id: "1.6"
checks:
- id: AVD-KSV-0029
severity: LOW
- name: Restricts escalation to root privileges
description: Control check restrictions escalation to root privileges
id: "1.7"
checks:
- id: AVD-KSV-0001
severity: MEDIUM
- name: Sets the SELinux context of the container
description: Control checks if pod sets the SELinux context of the container
id: "1.8"
checks:
- id: AVD-KSV-0002
severity: MEDIUM
- name: Restrict a container's access to resources with AppArmor
description: Control checks the restriction of containers access to resources with AppArmor
id: "1.9"
checks:
- id: AVD-KSV-0030
severity: MEDIUM
- name: Sets the seccomp profile used to sandbox containers.
description: Control checks the sets the seccomp profile used to sandbox containers
id: "1.10"
checks:
- id: AVD-KSV-0030
severity: LOW
- name: Protecting Pod service account tokens
description: "Control check whether disable secret token been mount ,automountServiceAccountToken: false"
id: "1.11"
checks:
- id: AVD-KSV-0036
severity: MEDIUM
- name: Namespace kube-system should not be used by users
description: Control check whether Namespace kube-system is not be used by users
id: "1.12"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0037
severity: MEDIUM
- name: Pod and/or namespace Selectors usage
description: Control check validate the pod and/or namespace Selectors usage
id: "2.0"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0038
severity: MEDIUM
- name: Use CNI plugin that supports NetworkPolicy API (Manual)
description: Control check whether check cni plugin installed
id: "3.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Use ResourceQuota policies to limit resources
description: Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace
id: "4.0"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0040
severity: MEDIUM
- name: Use LimitRange policies to limit resources
description: Control check the use of LimitRange policy limit resource usage for namespaces or nodes
id: "4.1"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0039
severity: MEDIUM
- name: Control plan disable insecure port (Manual)
description: Control check whether control plan disable insecure port
id: "5.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Encrypt etcd communication
description: Control check whether etcd communication is encrypted
id: "5.1"
checks:
- id: AVD-KCV-0030
severity: CRITICAL
- name: Ensure kube config file permission (Manual)
description: Control check whether kube config file permissions
id: "6.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Check that encryption resource has been set
description: Control checks whether encryption resource has been set
id: "6.1"
checks:
- id: AVD-KCV-0029
severity: CRITICAL
- name: Check encryption provider
description: Control checks whether encryption provider has been set
id: "6.2"
checks:
- id: AVD-KCV-0004
severity: CRITICAL
- name: Make sure anonymous-auth is unset
description: Control checks whether anonymous-auth is unset
id: "7.0"
checks:
- id: AVD-KCV-0001
severity: CRITICAL
- name: Make sure -authorization-mode=RBAC
description: Control check whether RBAC permission is in use
id: "7.1"
checks:
- id: AVD-KCV-0008
severity: CRITICAL
- name: Audit policy is configure (Manual)
description: Control check whether audit policy is configure
id: "8.0"
defaultStatus: FAIL
severity: HIGH
- name: Audit log path is configure
description: Control check whether audit log path is configure
id: "8.1"
checks:
- id: AVD-KCV-0019
severity: MEDIUM
- name: Audit log aging
description: Control check whether audit log aging is configure
id: "8.2"
checks:
- id: AVD-KCV-0020
severity: MEDIUM
Reference in New Issue View Git Blame Copy Permalink