infrastructure/clusters/cl01tl/manifests/trivy/ClusterComplianceReport-k8s-pss-restricted-0.1

---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
  name: k8s-pss-restricted-0.1
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/version: 0.29.0
    app.kubernetes.io/managed-by: kubectl
spec:
  cron: "0 5 * * *"
  reportType: "summary"
  compliance:
    id: k8s-pss-restricted-0.1
    platform: k8s
    type: pss-restricted
    title: Kubernetes Pod Security Standards - Restricted
    description: Kubernetes Pod Security Standards - Restricted
    relatedResources:
      - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
    version: "0.1"
    controls:
      - name: HostProcess
        description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy
        id: "1"
        checks:
          - id: AVD-KSV-0103
        severity: HIGH
      - name: Host Namespaces
        description: Sharing the host namespaces must be disallowed.
        id: "2"
        checks:
          - id: AVD-KSV-0008
        severity: HIGH
      - name: Privileged Containers
        description: Privileged Pods disable most security mechanisms and must be disallowed.
        id: "3"
        checks:
          - id: AVD-KSV-0017
        severity: HIGH
      - name: Capabilities
        description: Adding additional capabilities beyond those listed below must be disallowed.
        id: "4"
        checks:
          - id: AVD-KSV-0022
        severity: MEDIUM
      - name: HostPath Volumes
        description: HostPath volumes must be forbidden.
        id: "5"
        checks:
          - id: AVD-KSV-0023
        severity: MEDIUM
      - name: host ports
        description: hostports should be disallowed, or at minimum restricted to a known list.
        id: "6"
        checks:
          - id: avd-ksv-0024
        severity: HIGH
      - name: AppArmor
        description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.
        id: "7"
        checks:
          - id: avd-ksv-0002
        severity: HIGH
      - name: SELinux
        description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.
        id: "8"
        checks:
          - id: avd-ksv-0025
        severity: MEDIUM
      - name: /proc Mount Type
        description: The default /proc masks are set up to reduce attack surface, and should be required.
        id: "9"
        checks:
          - id: avd-ksv-0027
        severity: MEDIUM
      - name: Seccomp
        description: Seccomp profile must not be explicitly set to Unconfined.
        id: "10"
        checks:
          - id: avd-ksv-0104
        severity: MEDIUM
      - name: Sysctls
        description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.
        id: "11"
        checks:
          - id: avd-ksv-0026
        severity: MEDIUM
      - name: Volume Types
        description: The restricted policy only permits specific volume types.
        id: "12"
        checks:
          - id: avd-ksv-0028
        severity: LOW
      - name: Privilege Escalation
        description: Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.
        id: "13"
        checks:
          - id: avd-ksv-0001
        severity: MEDIUM
      - name: Running as Non-root
        description: Containers must be required to run as non-root users.
        id: "14"
        checks:
          - id: avd-ksv-0012
        severity: MEDIUM
      - name: Running as Non-root user
        description: Containers must not set runAsUser to 0
        id: "15"
        checks:
          - id: avd-ksv-0105
        severity: LOW
      - name: Seccomp
        description: Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited
        id: "16"
        checks:
          - id: avd-ksv-0030
        severity: LOW
      - name: Capabilities
        description: Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
        id: "17"
        checks:
          - id: avd-ksv-0106
        severity: LOW