...
https://github.com/armosec/kubescape
...
Control name and description:
1) Allow privilege escalation:
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
2)Allowed hostPath:
Mounting
...
host
...
directory
...
to
...
the
...
container
...
can
...
be
...
abused
...
to
...
get
...
access
...
to
...
sensitive
...
data
...
and
...
gain
...
persistence
...
on
...
the
...
host
...
machine.
...
3) Applications credentials in configuration
...
files:
Attackers
...
who
...
have
...
access
...
to
...
configuration
...
files
...
can
...
steal
...
the
...
stored
...
secrets
...
and
...
use
...
them.
...
Checks
...
if
...
ConfigMaps
...
or
...
pods
...
have
...
sensitive
...
information
...
in
...
configuration.
...
4) Automatic mapping of service account:
Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.
5) CVE-2021-25741
...
-
...
Using
...
symlink
...
for
...
arbitrary
...
host
...
file
...
system
...
access:
...
A
...
user
...
may
...
be
...
able
...
to
...
create
...
a
...
container
...
with
...
subPath
...
volume
...
mounts
...
to
...
access
...
files
...
&
...
directories
...
outside
...
of
...
the
...
volume,
...
including
...
on
...
the
...
host
...
filesystem.
...
This
...
was
...
affected
...
at
...
the
...
following
...
versions:
...
v1.22.0
...
-
...
v1.22.1,
...
v1.21.0
...
-
...
v1.21.4,
...
v1.20.0
...
-
...
v1.20.10,
...
version
...
v1.19.14
...
and
...
lower.
...
6) Cluster-admin
...
binding:
...
Attackers
...
who
...
have
...
Cluster-admin
...
permissions
...
(can
...
perform
...
any
...
action
...
on
...
any
...
resource),
...
can
...
take
...
advantage
...
of
...
their
...
high
...
privileges
...
for
...
malicious
...
intentions.
...
Determines
...
which
...
subjects
...
have
...
cluster
...
admin
...
permissions.
...
7) Container
...
hostPort:
...
Configuring
...
hostPort
...
limits
...
you
...
to
...
a
...
particular
...
port,
...
and
...
if
...
any
...
two
...
workloads
...
that
...
specify
...
the
...
same
...
HostPort
...
cannot
...
be
...
deployed
...
to
...
the
...
same
...
node.
...
And
...
if
...
the
...
scale
...
of
...
your
...
workload
...
is
...
larger
...
than
...
the
...
number
...
of
...
nodes
...
in
...
your
...
Kubernetes
...
cluster,
...
the
...
deployment
...
fails.
...
8) Control
...
plane
...
hardening:
...
...
Kubernetes
...
control
...
plane
...
API
...
is
...
running
...
with
...
non-secure
...
port
...
enabled
...
which
...
allows
...
attackers
...
to
...
gain
...
unprotected
...
access
...
to
...
the
...
cluster.
...
9) Dangerous
...
capabilities:
...
Giving
...
dangerous
...
and
...
unnecessary
...
capabilities
...
for
...
a
...
container
...
can
...
increase
...
the
...
impact
...
of
...
a
...
container
...
compromise.
...
10) Exec
...
into
...
container:
...
...
Attackers
...
who
...
have
...
permissions,
...
can
...
run
...
malicious
...
commands
...
in
...
containers
...
in
...
the
...
cluster
...
using
...
exec
...
command
...
(“kubectl
...
exec”).
...
Determines
...
which
...
subjects
...
have
...
permissions
...
to
...
exec
...
into
...
containers.
...
11) Exposed
...
dashboard:
...
If
...
Kubernetes
...
dashboard
...
is
...
exposed
...
externally
...
in
...
Dashboard
...
versions
...
before
...
2.01,
...
it
...
will
...
allow
...
unauthenticated
...
remote
...
management
...
of
...
the
...
cluster.
...
12) Host PID/IPC
...
privileges:
...
Containers
...
should
...
be
...
as
...
isolated
...
as
...
possible
...
from
...
the
...
host
...
machine.
...
The
...
hostPID
...
and
...
hostIPC
...
fields
...
in
...
Kubernetes
...
may
...
excessively
...
expose
...
the
...
host
...
for
...
potentially
...
malicious
...
actions.
...
13) Immutable container files:
Mutable container filesystem can be abused to gain malicious code and data injection into containers. Use immutable (read-only)
...
filesystem
...
to
...
limit
...
potential
...
attacks.
...
Deployment
...
-
...
nginx-deployment
...
Remediation:
...
Set
...
the
...
filesystem
...
of
...
the
...
container
...
to
...
read-only
...
when
...
possible.
...
If
...
the
...
containers
...
application
...
needs
...
to
...
write
...
into
...
the
...
filesystem,
...
it
...
is
...
possible
...
to
...
mount
...
secondary
...
filesystems
...
for
...
specific
...
directories
...
where
...
application
...
require
...
write
...
access.
...
14) Ingress and Egress blocked:
By default, you should disable Ingress and Egress traffic on all pods.
Deployment - nginx-deployment
Remediation: Define a network policy that restricts ingress and egress connections.
15) Insecure capabilities:
Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.
16) Linux hardening:
Often, containers are given more privileges than actually needed. This behavior can increase the impact of a container compromise.
Deployment - nginx-deployment
Remediation: Make sure you define at least one linux security hardening property out of AppArmor, Seccomp, SELinux or Capabilities.
17) Network policies: If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.
18) Non-root containers:
Potential attackers may gain access to a container and leverage its privileges to conduct an attack. Hence it is not recommended to deploy containers with root privileges unless it is absolutely necessary.
19) Privileged container:
Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary.
20) Resource policies:
CPU and memory resources should have a limit set for every container to prevent resource exhaustion.
21) hostNetwork access:
Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC.
Example of a scorecard:
+-----------------------------------------------------------------------+------------------+-------------------+---------------+-----------+
| CONTROL NAME | FAILED RESOURCES | WARNING RESOURCES | ALL RESOURCES | % SUCCESS |
+-----------------------------------------------------------------------+------------------+-------------------+---------------+-----------+
| Allow privilege escalation | 0 | 0 | 1 | 100% |
| Allowed hostPath | 0 | 0 | 1 | 100% |
| Applications credentials in configuration files | 0 | 0 | 1 | 100% |
| Automatic mapping of service account | 0 | 0 | 0 | NaN |
| CVE-2021-25741 - Using symlink for arbitrary host file system access. | 0 | 0 | 1 | 100% |
| Cluster-admin binding | 0 | 0 | 0 | NaN |
| Container hostPort | 0 | 0 | 1 | 100% |
| Control plane hardening | 0 | 0 | 1 | 100% |
| Dangerous capabilities | 0 | 0 | 1 | 100% |
| Exec into container | 0 | 0 | 0 | NaN |
| Exposed dashboard | 0 | 0 | 1 | 100% |
| Host PID/IPC privileges | 0 | 0 | 1 | 100% |
| Immutable container filesystem | 1 | 0 | 1 | 0% |
| Ingress and Egress blocked | 1 | 0 | 1 | 0% |
| Insecure capabilities | 0 | 0 | 1 | 100% |
| Linux hardening | 1 | 0 | 1 | 0% |
| Network policies | 0 | 0 | 0 | NaN |
| Non-root containers | 0 | 0 | 1 | 100% |
| Privileged container | 0 | 0 | 1 | 100% |
| Resource policies | 0 | 0 | 1 | 100% |
| hostNetwork access | 0 | 0 | 1 | 100% |
+-----------------------------------------------------------------------+------------------+-------------------+---------------+-----------+
| 21 | 3 | 0 | 17 | 82% |
+-----------------------------------------------------------------------+------------------+-------------------+---------------+-----------+
...